You are here

anonymous_token.module in Anonymous CSRF Token 7

File

anonymous_token.module
View source
<?php

function anonymous_token_form_alter(&$form, &$form_state, $form_id) {
  if (!isset($form['#token'])) {
    $form['anon_token'] = array(
      '#type' => 'token',
      '#default_value' => drupal_get_token(),
    );
    array_unshift($form['#validate'], 'anonymous_token_validate_anon_token');

    // store current session id
    // touching $_SESSION alone seems to preserve the session id after login
    $sess_id = session_id();
    if (isset($_SESSION)) {
      $_SESSION['anon_session_id'] = $sess_id;
    }
    else {
      $_SESSION = array(
        'anon_session_id' => $sess_id,
      );
    }
  }
}
function anonymous_token_validate_anon_token($form, &$form_state) {
  $token = '';
  if (isset($form_state['values']['anon_token'])) {
    $token = $form_state['values']['anon_token'];
  }
  if (!drupal_valid_token($token)) {

    // not a valid token!
    $path = current_path();
    $query = drupal_get_query_parameters();
    $url = url($path, array(
      'query' => $query,
    ));

    // Setting this error will cause the form to fail validation.
    form_set_error('form_token', t('The form has become outdated. Copy any unsaved work in the form below and then <a href="@link">reload this page</a>.', array(
      '@link' => $url,
    )));
  }
}