Blog

Eric Peterson

December 22, 2017

Spread the word


Share your thoughts

I love modules that help me do the right thing in my code, especially when I often forget to do something. Today's module is very straight-forward — [verify-csrf-interceptor](https://www.forgebox.io/view/verify-csrf-interceptor) — an interceptor that will automatically check for CSRF tokens for all non-GET requests to help protect against [cross-site request forgery.](https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF))

verify-csrf-interceptor

To mitigate CSRF attacks, CFML has two built-in methods to handle CSRF tokens — csrfGenerateToken and csrfVerifyToken. You should include a generate token in any form submission in your application and verify it in your handlers or controllers.

It's very easy to miss this, though, because you have to wire up both the token generation in the form and the token verification in the handler. This interceptor takes care of the token verification.

It's such a short function, let's take a look at it in its entirety here:

/**
* Verifies the CSRF token on all non-GET requests
*/
component extends="coldbox.system.Interceptor"{
    
    public void function configure() {}

    public void function preEvent( event, interceptData ) {
        if ( event.getHTTPMethod() == "GET" ) {
            return;
        }

        if ( actionMarkedToSkip( event, interceptData ) ) {
            return;
        }

        if ( ! event.valueExists( "_token" ) ) {
            throw(
                type = "TokenMismatchException",
                message = "The CSRF token was not included."
            );
        }

        if ( ! CSRFVerifyToken( event.getValue( "_token" ) ) ) {
            throw(
                type = "TokenMismatchException",
                message = "The CSRF token is invalid."
            );
        }
    }

    private boolean function actionMarkedToSkip(
        required event,
        required struct interceptData
    ) {
        var handler = getController()
            .getHandlerService()
            .getRegisteredHandler( interceptData.processedEvent );

        var md = getComponentMetadata(
            "#handler.getInvocationPath()#.#handler.getHandler()#"
        );

        var funcs = arrayFilter( md.functions, function( func ) {
            return func.name == handler.getMethod();
        } );

        if ( NOT arrayIsEmpty( funcs ) ) {
            if ( structKeyExists( funcs[1], "skipCSRFCheck" ) ) {
                return true;
            }
        }

        return false;
    }
    
}

Wrap Up

Protect yourself from simple omissions like forgetting to generate and verify CSRF tokens — install verify-csrf-interceptor today and it will start verifying for you with no further configuration. That's the power of ColdBox modules!

Add Your Comment

Recent Entries

BoxLang 1.0.0 RC1 Launched

BoxLang 1.0.0 RC1 Launched

After nearly a year of relentless iteration, rigorous testing, blood, sweat, lots of praying, tears, and over 1,000 resolved tickets, we proudly announce the first Release Candidate (RC1) of BoxLang! With 27 beta versions behind us, we are now on the final stretch toward the official 1.0 release.

Luis Majano
Luis Majano
February 18, 2025
Exploring BoxLang: A Modern Scripting Language for the JVM!

Exploring BoxLang: A Modern Scripting Language for the JVM!

The amazing CFML community leader Ray Camden recently shared his thoughts on BoxLang, a dynamic scripting language that runs on the Java Virtual Machine (JVM). BoxLang is lightweight (only 6 MB) and doesn’t require Java knowledge, making it accessible to developers from all backgrounds. Whether you're building CLI scriptsweb applications, or experimenting with serverless architecture, BoxLang has you covered.

Maria Jose Herrera
Maria Jose Herrera
February 14, 2025
Get a Free BoxLang+ License with Your ITB 2025 Ticket!

Get a Free BoxLang+ License with Your ITB 2025 Ticket!

At Ortus Solutions, we are dedicated to delivering the best experience for our Into the Box attendees. This year’s event will be an exciting opportunity to explore BoxLang and modern CFML development, and we want to ensure that attending in person is even more rewarding.

Maria Jose Herrera
Maria Jose Herrera
February 07, 2025