public package
Foswiki::Validation "Validation" is the process of ensuring that an incoming request came from a page we generated. Validation keys are injected into all HTML pages generated by Foswiki, in Foswiki::writeCompletePage. When a request is received from the browser that requires validation, that request must be accompanied by the validation key. The functions in this package support the generation and checking of these validation keys.
Two key validation methods are supported by this module; simple token validation, and double-submission validation. Simple token validation stores a magic number in the session, and then adds that magic number to all forms in the output HTML. When a form is submitted, the magic number submitted with the form must match the number stored in the session. This is a relatively weak protection method, but requires some coding around so may discourage many hackers.
The second method supported is properly called double cookie submission, but referred to as "strikeone" in Foswiki. This again uses a token added to output forms, but this time it uses Javascript to combine that token with a secret stored in a cookie, to create a new token. This is more secure because the cookie containing the secret cannot be read outside the domain of the server, making it much harder for a page hosted on an evil site to forge a valid transaction.
When a request requiring validation comes in, Foswiki::UI::checkValidationKey is called. This compares the key in the request with the set of valid keys stored in the session. If the comparison fails, the browser is redirected to thelogin
script (even if the user is currently logged in) with the
action
parameter set to validate
. This generates a confirmation screen
that the user must accept before the transaction can proceed. When the screen
is confirmed, login
is invoked again and the original transaction restored
from passthrough.
In the function descriptions below, $cgis is a reference to a CGI::Session object.
StaticMethod
addValidationKey( $cgis, $context, $strikeone ) → $form $cgis
- a CGI::Session
$context
- the context for the key, usually the URL of the target page plus the time. This should be unique for each rendered page.
$strikeone
- if set, expect the nonce to be combined with the session secret before it is posted back.
StaticMethod
generateValidationKey( $cgis, $context, $strikeone ) → $nonce $cgis
- a CGI::Session
$context
- the context for the key, usually the URL of the target page plus the time. This should be unique for each rendered page.
$strikeone
- if set, expect the nonce to be combined with the session secret before it is posted back.
StaticMethod
addOnSubmit( $form ) → $form $form
- the opening tag of a form, ie. <form ...>=
StaticMethod
getCookie( $cgis ) → $cookie $cgis
- a CGI::Session
The cookie is a non-HttpOnly cookie that contains the current session ID and a secret. The secret is constant for a given session.
StaticMethod
isValidNonce( $cgis, $key ) → $boolean Check that the given validation key is valid for the session. Return false if not.
StaticMethod
isValidNonceHash( $actions, $key ) → $boolean Check that the given validation key is valid for the session. Return false if not.
StaticMethod
expireValidationKeys($cgis[, $key]) Expire any timed-out validation keys for this session, and (optionally) force expiry of a specific key, even if it hasn't timed out.
StaticMethod
validate($session)