Preventing CRSF Attacks Using Form Request Token in Joomla

You should place a token in your form to verify that its a legitimate request to your site. This will prevent CSRF (Cross Site Request Forgery) attacks.

This will generate a hidden tag containing the token value. Place this in your form.

echo JHTML::_( 'form.token' );

Token is a series of random strings that is unique per session and user.

You can also add the token to the url if your submitting form with GET method like this.

echo JRoute::_( 'index.php?option=com_example&task=save&'. JUtility::getToken() .'=1' ); 

Before the form processing code look for the token. If there is no token or is invalid then display a simple and direct error message.

//For post method
JRequest::checkToken() or die( 'Invalid Token' );
//For get method
JRequest::checkToken( 'get' ) or die( 'Invalid Token' );

Leave a comment