Dev:XoopsSecurity

From XOOPS Project

Main Page | Recent changes | Edit this page | Page history | Switch to MediaWiki mode

Special pages Double redirects Broken redirects Disambiguation pages Log in / create account Preferences My watchlist Recent changes Upload file File list Gallery of new files User list Statistics Random page Orphaned pages Uncategorized pages Uncategorized categories Uncategorized images Unused categories Unused files Wanted pages Wanted categories Most linked to pages Most linked to categories Articles with the most categories Most linked to images Articles with the most revisions Short pages Long pages New pages Oldest pages Dead-end pages All pages Prefix index List of blocked IP addresses and usernames Book sources Categories Export pages Version System messages Logs MIME search List redirects Unused templates Random redirect Popular pages Search

Printable version | Disclaimers | Privacy policy
Category: Development

---

In XOOPS there is from version 2.0.10 a class for performing security-related actions; XoopsSecurity

It is a class that is used both in the core and can be used in modules, at present to add a "token" to a form.

Contents 1 How does it work? 2 How do I use this in my module? 2.1 Form side 2.2 Receiving side 3 When should I use this? 4 I'm using module xxx on my site, it doesn't use tokens. Is it unsafe?

How does it work?

The token system is used in conjunction with input forms, where it generates a unique and practically un-guessable value that is saved in the user's session and as a hidden variable in the form. When the form is submitted, the receiving page can check if the token value provided via the form is also in the user's session. If not, the check will fail.

How do I use this in my module?

Depending on your module's implementation, there are several ways to implement the token system:

Form side

1) Add a 5th parameter to the XoopsForm-derived class constructor - true for adding a token and false (default) for not using the token system in this form

2) If not using XoopsForm classes but writing HTML directly in a PHP file or Smarty template, one can get the HTML for a token field with $GLOBALS['xoopsSecurity']->getTokenHTML() - this will return the result of a XoopsFormHiddenToken::render() call, ready to be used in a PHP file or assigned to $xoopsTpl for use in a template

Receiving side

On the receiving end, one must check the validity of the token by calling $GLOBALS['xoopsSecurity']->check() - which returns true or false - before authorising changes to the database or similar actions.

When should I use this?

You should use the token system whenever you have a form that makes changes to the database. Especially if the form is only available to certain privileged users.

I'm using module xxx on my site, it doesn't use tokens. Is it unsafe?

Not directly, no, although there is some discussion in this area (which is why we are making this token system altogether). If you are checking the HTTP REFERER (which XOOPS does by default) you are quite safe from the malicious attacks where your site admins are tricked into performing actions on your site by submitting forms on another site. However, checking the HTTP REFERER is not entirely friendly towards your users, who may have to configure their firewall for your site. The token system makes your site less vulnerable should you decide to disable the referer checking.

back to Main Page

---

Edit this page | Discuss this page | Page history | What links here | Related changes


This page has been accessed 376 times. This page was last modified 01:48, 16 December 2007. Content is available under XOOPS Project.

Main Page | About XOOPS Project | Switch to MediaWiki mode