The Transient Key. How does one make use of it?
peregrine
MVP
Can anybody provide some info on how, when and why to access the transient key. or direct me to some docs. Just a simple example would suffice.
I may not provide the completed solution you might desire, but I do try to provide honest suggestions to help you solve your issue.
Best Answer
-
Kasper
Vanilla Staff
The Transient Key is used as a measure against "Cross-Site Request Forgery" (CSRF for short). What the Transient Key does, is provide a session- and user-specific access token that must be supplied with each form submission. This prevents hackers from sending valid (albeit forged) form submissions from an attacker site. You can read more about CSRF here: http://en.wikipedia.org/wiki/Cross-site_request_forgery. The Ruby on Rails Security Docs also contain a great chapter about CSRF-prevention, which is essentially parallel to the way Vanilla handles CSRF-prevention: http://guides.rubyonrails.org/security.html#cross-site-request-forgery-csrf
Kasper Kronborg Isager (kasperisager) | Freelance Developer @Vanilla | Hit me up: Google Mail or Vanilla Mail | Find me on GitHub
8
Answers
Looks like it is used for session control
What? What transient key?
The Transient Key is used as a measure against "Cross-Site Request Forgery" (CSRF for short). What the Transient Key does, is provide a session- and user-specific access token that must be supplied with each form submission. This prevents hackers from sending valid (albeit forged) form submissions from an attacker site. You can read more about CSRF here: http://en.wikipedia.org/wiki/Cross-site_request_forgery. The Ruby on Rails Security Docs also contain a great chapter about CSRF-prevention, which is essentially parallel to the way Vanilla handles CSRF-prevention: http://guides.rubyonrails.org/security.html#cross-site-request-forgery-csrf
Kasper Kronborg Isager (kasperisager) | Freelance Developer @Vanilla | Hit me up: Google Mail or Vanilla Mail | Find me on GitHub
Excellent answer from @Kasper. To add an example, here's how you can use the transient key.
In the view:
$TransientKey = Gdn::Session()->TransientKey(); $this->Form->Hidden('TransientKey', array('value' => $TransientKey));Then, in the controller, when data is POSTed back:
$TransientKey = $Sender->Form->GetFormValue('TransientKey'); if(Gdn::Session()->ValidateTransientKey($TransientKey)) { // Transient key is valid, go on } else { // Transient key is not valid, halt }My shop | About Me
Transient key is sometimes erroneously called nonce (number used once), a concept used in cryptography and security.
The reality is transient keys persist and nonces are discarded after a single use. Nevertheless often you get in frameworks, function that refer to nonce when it is transient key that it is using (e.g wp_nonce_field);
grep is your friend.
That's the Humpty Dumpty rule. "When I use a word," Humpty Dumpty said, in rather a scornful tone, "it means just what I choose it to mean - neither more nor less."
It's the same when your manager tells you to work on X instead of Y, and then he tells you that "instead of" meant "and also on".
My shop | About Me
Testing
Just to add to @businessdad's excellent example, using a form's
AuthenticatedPostBack()method checks the transient key for validity as well.Search first
Check out the Documentation! We are always looking for new content and pull requests.
Click on insightful, awesome, and funny reactions to thank community volunteers for their valuable posts.