Blog

The 12 Modules of (ForgeBox) Christmas — Day 9 — verify-csrf-interceptor

12 Modules of (ForgeBox) Christmas, ColdBox MVC, CommandBox, ForgeBox, Modules
Eric Peterson December 22, 2017

Spread the word

Eric Peterson

December 22, 2017

Spread the word

Share your thoughts

Ortus Solutions
I love modules that help me do the right thing in my code, especially when I often forget to do something. Today's module is very straight-forward — [verify-csrf-interceptor](https://www.forgebox.io/view/verify-csrf-interceptor) — an interceptor that will automatically check for CSRF tokens for all non-GET requests to help protect against [cross-site request forgery.](https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF))

verify-csrf-interceptor

To mitigate CSRF attacks, CFML has two built-in methods to handle CSRF tokens — csrfGenerateToken and csrfVerifyToken. You should include a generate token in any form submission in your application and verify it in your handlers or controllers.

It's very easy to miss this, though, because you have to wire up both the token generation in the form and the token verification in the handler. This interceptor takes care of the token verification.

It's such a short function, let's take a look at it in its entirety here:

/**
* Verifies the CSRF token on all non-GET requests
*/
component extends="coldbox.system.Interceptor"{
    
    public void function configure() {}

    public void function preEvent( event, interceptData ) {
        if ( event.getHTTPMethod() == "GET" ) {
            return;
        }

        if ( actionMarkedToSkip( event, interceptData ) ) {
            return;
        }

        if ( ! event.valueExists( "_token" ) ) {
            throw(
                type = "TokenMismatchException",
                message = "The CSRF token was not included."
            );
        }

        if ( ! CSRFVerifyToken( event.getValue( "_token" ) ) ) {
            throw(
                type = "TokenMismatchException",
                message = "The CSRF token is invalid."
            );
        }
    }

    private boolean function actionMarkedToSkip(
        required event,
        required struct interceptData
    ) {
        var handler = getController()
            .getHandlerService()
            .getRegisteredHandler( interceptData.processedEvent );

        var md = getComponentMetadata(
            "#handler.getInvocationPath()#.#handler.getHandler()#"
        );

        var funcs = arrayFilter( md.functions, function( func ) {
            return func.name == handler.getMethod();
        } );

        if ( NOT arrayIsEmpty( funcs ) ) {
            if ( structKeyExists( funcs[1], "skipCSRFCheck" ) ) {
                return true;
            }
        }

        return false;
    }
    
}

Wrap Up

Protect yourself from simple omissions like forgetting to generate and verify CSRF tokens — install verify-csrf-interceptor today and it will start verifying for you with no further configuration. That's the power of ColdBox modules!

Add Your Comment

Recent Entries

Into the Box Sessions Round 2 and Team Packs!

Into the Box Sessions Round 2 and Team Packs!

The second round of Into the Box sessions is here, packed with incredible new topics, sessions and expert speakers industry leaders in modern CFML getting us modern content and practices you can use to make your coding experience and projects better, faster and easy and expert-led talks on modern web development, serverless applications, cryptography, UI design, and more.

Maria Jose Herrera
Maria Jose Herrera
February 25, 2025
Building Serverless Functions with BoxLang in AWS Lambda!

Building Serverless Functions with BoxLang in AWS Lambda!

The serverless computing model has revolutionized the way we deploy and manage applications, and with BoxLang, it’s easier than ever to leverage AWS Lambda for efficient, scalable execution of cloud functions. In a recent blog post, Ray Camden explored the process of building and deploying BoxLang functions in AWS Lambda. Let’s take a closer look at how it works!

Maria Jose Herrera
Maria Jose Herrera
February 24, 2025
ColdBox Training: From Hero to Superhero – Master ColdFusion and BoxLang Development

ColdBox Training: From Hero to Superhero – Master ColdFusion and BoxLang Development

Are you ready to take your ColdBox development skills for ColdFusion and BoxLang to the next level? Whether you're new to ColdBox or looking to sharpen your expertise, our ColdBox From Hero to Superhero training is the perfect opportunity to become a ColdFusion and BoxLang powerhouse.

Why Attend?

This hands-on training is designed to help ColdFusion and BoxLang developers level up their ...

Cristobal Escobar
Cristobal Escobar
February 19, 2025