The Elgg framework has built-in protection to CSRF attacks by using anti-CSRF tokens in its forms. When writing a plugin, it is strongly recommended that you use these protections. In Elgg 1.7 it will be required in order to use Elgg's action system.
With each session, Elgg generates a unique private token that is stored in the session data. Every time a form is created another token is created based on that private token, the session identifier, the user agent, a site secret, and the timestamp. This token and the timestamp are embedded in the form as hidden input. When the form is submitted, the submitted token is checked against what was in the form and the timestamp must be less than one hour old.
Do not write the form HTML yourself, instead use the <input/*> views and the <input/form> view.
All input fields should be encapsulated inside an input/form view. This view accepts the following parameters in its $vars array:
Example:
$form_body = "<p>This is my form</p>"; $form_body .= elgg_view('input/text', array('internalname' => 'mytextbox', 'value' => '')); $form_body .= elgg_view('input/submit', array('internalname' => 'submit')); $action_url = "{$CONFIG->url}actions/my/action"; echo elgg_view('input/form', array('body' => $form_body, 'action' => $action_url));
You may also pass this token with links to actions via the GET method easily by using either the output/confirmlink or output/url views and setting is_action to true.