Please upgrade here. These earlier versions are no longer being updated and have security issues.
HackerOne users: Testing against this community violates our program's Terms of Service and will result in your bounty being denied.

The Transient Key. How does one make use of it?

peregrineperegrine MVP
edited June 2012 in Vanilla 2.0 - 2.8

Can anybody provide some info on how, when and why to access the transient key. or direct me to some docs. Just a simple example would suffice.

I may not provide the completed solution you might desire, but I do try to provide honest suggestions to help you solve your issue.

UnderDog

Best Answer

Answers

  • Looks like it is used for session control

  • What? What transient key?

  • businessdadbusinessdad Stealth contributor MVP

    Excellent answer from @Kasper. To add an example, here's how you can use the transient key.

    In the view:

    $TransientKey = Gdn::Session()->TransientKey();
    $this->Form->Hidden('TransientKey', array('value' => $TransientKey));
    

    Then, in the controller, when data is POSTed back:

    $TransientKey = $Sender->Form->GetFormValue('TransientKey');
    if(Gdn::Session()->ValidateTransientKey($TransientKey)) {
      // Transient key is valid, go on
    }
    else {
      // Transient key is not valid, halt
    }
    
    KaspervrijvlinderUnderDoghgtonight
  • Transient key is sometimes erroneously called nonce (number used once), a concept used in cryptography and security.

    The reality is transient keys persist and nonces are discarded after a single use. Nevertheless often you get in frameworks, function that refer to nonce when it is transient key that it is using (e.g wp_nonce_field);

    grep is your friend.

  • businessdadbusinessdad Stealth contributor MVP

    @x00 said:
    Transient key is sometimes erroneously called nonce (number used once)

    That's the Humpty Dumpty rule. "When I use a word," Humpty Dumpty said, in rather a scornful tone, "it means just what I choose it to mean - neither more nor less." :)

    It's the same when your manager tells you to work on X instead of Y, and then he tells you that "instead of" meant "and also on".

    hgtonight
  • 50sQuiff50sQuiff ✭✭
    edited October 2013

    Testing

    CSRFTest
  • hgtonighthgtonight ∞ · New Moderator

    Just to add to @businessdad's excellent example, using a form's AuthenticatedPostBack() method checks the transient key for validity as well.

    Search first

    Check out the Documentation! We are always looking for new content and pull requests.

    Click on insightful, awesome, and funny reactions to thank community volunteers for their valuable posts.

    businessdad
Sign In or Register to comment.