Search code examples

ColdFusion forcing CSRF to fail

I have a website that check for CSRF tokens when a user logs in. The form looks like

    <input type="hidden" name="token" value="#CSRFGenerateToken()#" />

Later it is checked with

if (framework.getCGIRequestMethod() == "post" && !CSRFverifyToken(rc.token))    {
    rc.arMessage.append("<b>Debug:</b> Fail Token");


I would like to verify that this is actually checking. Does the token ever expire or timeout? Changing in application.cfc does not seem to do anything. is the token based on domain name?

I need to test this. I don't need to automate the testing, but just test it somehow.


  • For testing this, use something like

    Target the form's action page:

    • Create a GET request; verify it throws an error.
    • Create a POST request without the token field; verify it throws an error.
    • Create a POST request with the token field and with a value that does not match the value generated by CSRFGenerateToken(); verify it throws an error.
    • Create a POST request with the token and the correct value; verify it processes correctly.