How to use csrf_token in templates

[mesu...@gmail.com]

With plug :protect_from_forgery, added into the router.ex, how do I add the csrf_token hidden input field inside <form method="POST"> tag in my template?

[Paulo Almeida]

Hello,

The plug puts the token in the session, so this should work:

<input type="hidden" name="csrf_token" value="<%= Plug.Conn.get_session(@conn, :csrf_token) %>">

If you want to avoid the Plug.Conn prefix just add import Plug.Conn, only: [get_session: 2] inside the quote do block in web/view.ex.

Regards,

Paulo

[Chris McCord]

When we introduce form builders, this should be taken care of for you, but for now I would create a helper function in your View:

def csrf_token(conn), Plug.Conn.get_session(conn, :csrf_token)

then in your template:

<input type="hidden" name="csrf_token" value="<%= csrf_token(@conn) %>”>

--
You received this message because you are subscribed to the Google Groups "phoenix-talk" group.
To unsubscribe from this group and stop receiving emails from it, send an email to phoenix-talk...@googlegroups.com.
To post to this group, send email to phoeni...@googlegroups.com.
Visit this group at http://groups.google.com/group/phoenix-talk.
To view this discussion on the web visit https://groups.google.com/d/msgid/phoenix-talk/fdc5a26c-4ac6-4772-8383-d8ce7684610c%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[mesulphur]

Thanks. Both methods do work.

On a side note, you people are doing a great work with Phoenix.

You received this message because you are subscribed to a topic in the Google Groups "phoenix-talk" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/phoenix-talk/X0w5aGqYcP0/unsubscribe.
To unsubscribe from this group and all its topics, send an email to phoenix-talk...@googlegroups.com.

To post to this group, send email to phoeni...@googlegroups.com.
Visit this group at http://groups.google.com/group/phoenix-talk.

To view this discussion on the web visit https://groups.google.com/d/msgid/phoenix-talk/90DFBAEA-7F9D-481A-8010-2E546438C338%40chrismccord.com.

[benw...@gmail.com]

The Phoenix 0.8 to 0.9 upgrade guide states Plug.CSRFProtection & :protect_from_forgery now uses a cookie instead of session. 

The View helper suggested earlier in this thread using get_session/2 no longer applies.

def csrf_token(conn), Plug.Conn.get_session(conn, :csrf_token)

What is the recommended way to retrieve the token value in the hidden field of a 0.9 template?

<input type="hidden" name="_csrf_token" value="<%= csrf_token(@conn) %>”>

Any help much appreciated ;-)

[Steve Domin]

Hi Ben,

In web/view.ex:

def csrf_token(conn) do

    Map.get(conn.req_cookies, "_csrf_token")

  end

In your template:

<input type="hidden" name="_csrf_token" value="<%= @csrf_token %>">

Hope that helps

[benw...@gmail.com]

Thanks a million Steve!

Your csrf_token/1 works a treat in fetching the token.

Had a minor change to make to your template code and bingo ;-)

<input type="hidden" name="_csrf_token" value="<%= csrf_token(@conn) %>">

[Steve Domin]

Ah yes, sorry I'm doing something slightly different in my code

[Chris McCord]

Phoenix 0.10 is due out this weekend and will include a form builder so the token will be injected for you. In the meantime, Steve’s example is the way to go.

To view this discussion on the web visit https://groups.google.com/d/msgid/phoenix-talk/78f876ae-66a3-42b2-baf8-1335cfae3906%40googlegroups.com.

[benw...@gmail.com]

Thanks for confirmation and the form builder timeline update Chris ;-)