Drupal
/
drupal
mirror of https://git.drupalcode.org/project/drupal.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

Issue #2188289 by Jaypan, sun, jibran, Berdir: fix up docs for token functions and methods in regards to anonymous users and sessions

8.0.x
Jennifer Hodgdon 2014-02-12 16:13:01 -08:00
parent 06dfc0365d
commit e63e610478
3 changed files with 19 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
core/includes/common.inc
View File

@ -3010,6 +3010,11 @@ function drupal_get_private_key() {
* @param string $value * @param string $value
* An additional value to base the token on. * An additional value to base the token on.
* *
* The generated token is based on the session ID of the current user. Normally,
* anonymous users do not have a session, so the generated token will be
* different on every page request. To generate a token for users without a
* session, manually start a session prior to calling this function.
*
* @return string * @return string
* A 43-character URL-safe token for validation, based on the user session ID, * A 43-character URL-safe token for validation, based on the user session ID,
* the hash salt provided from drupal_get_hash_salt(), and the * the hash salt provided from drupal_get_hash_salt(), and the
@ -3017,6 +3022,7 @@ function drupal_get_private_key() {
* *
* @see drupal_get_hash_salt() * @see drupal_get_hash_salt()
* @see \Drupal\Core\Access\CsrfTokenManager * @see \Drupal\Core\Access\CsrfTokenManager
* @see drupal_session_start()
* *
* @deprecated as of Drupal 8.0. Use the csrf_token service instead. * @deprecated as of Drupal 8.0. Use the csrf_token service instead.
*/ */

7
core/lib/Drupal.php
View File

@ -561,8 +561,15 @@ class Drupal {
/** /**
* Returns the CSRF token manager service. * Returns the CSRF token manager service.
* *
* The generated token is based on the session ID of the current user. Normally,
* anonymous users do not have a session, so the generated token will be
* different on every page request. To generate a token for users without a
* session, manually start a session prior to calling this function.
*
* @return \Drupal\Core\Access\CsrfTokenGenerator * @return \Drupal\Core\Access\CsrfTokenGenerator
* The CSRF token manager. * The CSRF token manager.
*
* @see drupal_session_start()
*/ */
public static function csrfToken() { public static function csrfToken() {
return static::$container->get('csrf_token'); return static::$container->get('csrf_token');

6
core/lib/Drupal/Core/Access/CsrfTokenGenerator.php
View File

@ -55,6 +55,11 @@ class CsrfTokenGenerator {
/** /**
* Generates a token based on $value, the user session, and the private key. * Generates a token based on $value, the user session, and the private key.
* *
* The generated token is based on the session ID of the current user. Normally,
* anonymous users do not have a session, so the generated token will be
* different on every page request. To generate a token for users without a
* session, manually start a session prior to calling this function.
*
* @param string $value * @param string $value
* (optional) An additional value to base the token on. * (optional) An additional value to base the token on.
* *
@ -64,6 +69,7 @@ class CsrfTokenGenerator {
* 'drupal_private_key' configuration variable. * 'drupal_private_key' configuration variable.
* *
* @see drupal_get_hash_salt() * @see drupal_get_hash_salt()
* @see drupal_session_start()
*/ */
public function get($value = '') { public function get($value = '') {
return Crypt::hmacBase64($value, session_id() . $this->privateKey->get() . drupal_get_hash_salt()); return Crypt::hmacBase64($value, session_id() . $this->privateKey->get() . drupal_get_hash_salt());