Secured actions

Secured actions provide a method of ensuring that the requested action indeed originates from the author who clicked or validated a form.

The autoriser() function does not provide this functionality. For example, it can verify what type of author (administrator, editor) has the right to perform which actions. But it can not verify which action has been effectively requested by which individual.

This is where secured actions are applied. What they do in fact, is make it possible to create URLs for links or forms which pass a special key. This key is generated based on several data: a random number generated on each connection by an author and stored alongside the author’s personal data, the author identifier, the name of the action and arguments of that action if there are any.

Using this passed key, when the author clicks on the link or the form, the action being called can confirm that it is actually the currently connected author who has requested the action to be performed (and not some malicious individual or robot executing an HTML query with stolen credentials!).

Author Mark Baber Published : Updated : 01/06/10

Translations : English, français