Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
Experimental project
This is a sandbox project, which contains experimental code for developer use only.
Automatically adds a drupal_get_token query string parameter to any menu links that correspond to a menu router item that has 'token' => TRUE in its hook_menu() definition. This helps prevent certain links from CSRF attack requests.
Protection support for core menu callbacks
By default this module adds token CSRF protection for the following core menu callbacks:
user/logout
Which in turn ensures any menu links are output as:
user/logout?token=hash-string-here
And the token is checked using hook_menu_site_status_alter().
Usage
function mymodule_menu() {
$items['mymodule/path'] = array(
'title' => 'Sample dangerous callback',
'description' => 'A sample menu callback that should be protected from CSRF attacks using tokens.',
'page callback' => 'mymodule_dangerous_callback',
'access arguments' => array('administer mymodule'),
'token' => TRUE, // Add this to automatically have this path protected.
);
return $items;
}
Resources
- Help get this functionality into Drupal core and deprecate this module: #755584: Built-in support for csrf tokens in links and menu router
Project information
- Minimally maintained
Maintainers monitor issues, but fast responses are not guaranteed. - Maintenance fixes only
Considered feature-complete by its maintainers. - Module categories: Security, Developer Tools
- Created by Dave Reid on , updated