U++ forum: Welcome to the forum

Skylark : GetIdentity alternative way of working [message #53780]

Thu, 30 April 2020 00:10

Xemuth
Messages: 387
Registered: August 2018
Location: France

Senior Member

Hello,

Today I tried to setup a form using $post_identity() to prevent CSRF attacks. However for a strange reason, the example provided by Upp (Skylark06) work perfectly but when using on my own app, the

String GetIdentity(const Renderer *r)

function always return "zd" since the key/value named __identity__ is not on first position in the http->var vectorMap<String,Value>.

to fix my problem I changed a bit the function :

String GetIdentity(const Renderer *r)
{
	Http *http = const_cast<Http *>(dynamic_cast<const Http *>(r));
	if(!http)
		throw Exc("invalid POST identity call");
	
	//New
	bool find = false;
	Upp::String s;
	for(const Upp::String& key : http->var.GetKeys()){
		if(key.Find("__identity__") != -1){
			s = http->var.Get(key).ToString();
			find = true;
			break;
		}
	}
	if(find)
		return s;
	s = AsString(Uuid::Create());
	http->SessionSet0("__identity__", s);
	http->var[0] = s;
	return s;
}

What you think about it ?

Report message to a moderator