HTML and CSS Reference
In-Depth Information
Creating Nonces
To create a nonce, all you need to do is generate a random string once per page load for each user. This nonce is then
added as a hidden form field for any forms loaded in the current view, and it's stored in the user's session.
Open
system/core/class.controller.inc.php
and add the following bold code to the
generate_nonce()
method:
protected function generate_nonce( )
{
// Checks for an existing nonce before creating a new one
if (empty(self::$nonce)) {
self::$nonce = base64_encode(uniqid(NULL, TRUE));
$_SESSION['nonce'] = self::$nonce;
}
return self::$nonce;
}
This method checks to see whether
$nonce
is empty first because there are often multiple forms displayed in the
app; if the first form's nonce were overwritten, it could not successfully be submitted, which would break the app.
If the nonce isn't set, a new one is generated by generating a
uniqid()
and then encoding it with
base64_encode()
.
This is stored both in the object as a static property (so all
Controller
-based classes use the same nonce in their
views) and in the
$_SESSION
superglobal to allow the nonce to be verified after submission.
Checking Nonces
When a form is submitted, the first thing that needs to be checked is that the nonce submitted through the form
matches the one stored in the session. If they don't match, something is fishy and the submission should not be
processed.
To check the nonce, add a new method to
system/core/class.controller.inc.php
called
check_nonce()
with
the following bold code:
protected function generate_nonce( )
{
// Checks for an existing nonce before creating a new one
if (empty(self::$nonce)) {
self::$nonce = base64_encode(uniqid(NULL, TRUE));
$_SESSION['nonce'] = self::$nonce;
}
return self::$nonce;
}
/**
* Checks for a valid nonce
*
* @return bool TRUE if the nonce is valid; otherwise FALSE
*/
Search WWH ::
Custom Search