-
Getting Started
- Video Quick-Start Series
- Server Requirements
- Installation
- An Overview of MODX
- FAQs & Troubleshooting
-
Making Sites with MODx
- Structuring Your Site
- Tag Syntax
-
Customizing Content
-
Template Variables
- Creating a Template Variable
- Adding a Custom TV Type - MODX 2.2
- Bindings
- Template Variable Input Types
- Template Variable Output Types
- Adding a Custom TV Input Type
- Adding a Custom TV Output Type
- Creating a multi-select box for related pages in your template
- Accessing Template Variable Values via the API
- Properties and Property Sets
- Input and Output Filters (Output Modifiers)
-
Template Variables
- Commonly Used Template Tags
-
Administering Your Site
-
Settings
-
System Settings
- access_category_enabled
- date_timezone
- access_context_enabled
- access_resource_group_enabled
- allow_duplicate_alias
- allow_forward_across_contexts
- allow_multiple_emails
- allow_tags_in_post
- archive_with
- automatic_alias
- auto_check_pkg_updates
- auto_check_pkg_updates_cache_expire
- auto_menuindex
- base_help_url
- blocked_minutes
- cache_action_map
- cache_context_settings
- cache_db
- cache_db_expires
- cache_db_session
- cache_default
- cache_disabled
- cache_format
- cache_handler
- cache_json
- cache_json_expires
- cache_lang_js
- cache_lexicon_topics
- cache_noncore_lexicon_topics
- cache_resource
- cache_resource_expires
- cache_scripts
- cache_system_settings
- clear_cache_refresh_trees
- compress_css
- compress_js
- concat_js
- container_suffix
- cultureKey
- custom_resource_classes
- default_per_page
- default_template
- editor_css_path
- editor_css_selectors
- emailsender
- emailsubject
- enable_dragdrop
- error_page
- extension_packages
- failed_login_attempts
- feed_modx_news
- feed_modx_news_enabled
- feed_modx_security
- feed_modx_security_enabled
- fe_editor_lang
- filemanager_path
- filemanager_path_relative
- filemanager_url
- filemanager_url_relative
- forgot_login_email
- friendly_alias_lowercase_only
- forward_merge_excludes
- friendly_alias_max_length
- friendly_alias_restrict_chars
- friendly_alias_restrict_chars_pattern
- friendly_alias_strip_element_tags
- friendly_alias_translit
- friendly_alias_translit_class
- friendly_alias_translit_class_path
- friendly_alias_trim_chars
- friendly_alias_urls
- friendly_alias_word_delimiter
- friendly_alias_word_delimiters
- friendly_urls
- friendly_url_prefix
- friendly_url_suffix
- global_duplicate_uri_check
- hidemenu_default
- link_tag_scheme
- mail_charset
- mail_encoding
- mail_smtp_auth
- mail_smtp_helo
- mail_smtp_hosts
- mail_smtp_keepalive
- mail_smtp_pass
- mail_smtp_port
- mail_smtp_prefix
- mail_smtp_single_to
- mail_smtp_timeout
- mail_smtp_user
- mail_use_smtp
- manager_date_format
- manager_direction
- manager_favicon_url
- manager_language
- manager_lang_attribute
- manager_theme
- manager_time_format
- context_tree_sort
- context_tree_sortby
- context_tree_sortdir
- session_enabled
- modx_charset
- new_file_permissions
- new_folder_permissions
- password_generated_length
- password_min_length
- phpthumb_allow_src_above_docroot
- phpthumb_cache_maxage
- phpthumb_cache_maxfiles
- phpthumb_cache_maxsize
- phpthumb_cache_source_enabled
- phpthumb_document_root
- phpthumb_error_bgcolor
- phpthumb_error_fontsize
- phpthumb_error_textcolor
- phpthumb_far
- phpthumb_imagemagick_path
- phpthumb_nohotlink_enabled
- phpthumb_nohotlink_erase_image
- phpthumb_nohotlink_text_message
- phpthumb_nohotlink_valid_domains
- phpthumb_nooffsitelink_enabled
- phpthumb_nooffsitelink_erase_image
- phpthumb_nooffsitelink_require_refer
- phpthumb_nooffsitelink_text_message
- phpthumb_nooffsitelink_valid_domains
- phpthumb_nooffsitelink_watermark_src
- phpthumb_zoomcrop
- principal_targets
- proxy_auth_type
- proxy_host
- proxy_password
- proxy_port
- proxy_username
- publish_default
- rb_base_dir
- rb_base_url
- request_controller
- request_param_alias
- request_param_id
- resource_tree_node_name
- resource_tree_node_tooltip
- richtext_default
- search_default
- server_offset_time
- server_protocol
- session_cookie_domain
- session_cookie_lifetime
- session_cookie_path
- session_cookie_secure
- session_handler_class
- session_name
- settings_version
- signupemail_message
- site_name
- site_start
- site_status
- site_unavailable_message
- site_unavailable_page
- strip_image_paths
- symlink_merge_fields
- tree_default_sort
- tree_root_id
- tvs_below_content
- udperms_allowroot
- ui_debug_mode
- unauthorized_page
- upload_maxsize
- use_alias_path
- use_browser
- use_editor
- use_multibyte
- welcome_screen
- which_editor
- which_element_editor
- xhtml_urls
-
System Settings
- Using Friendly URLs
- Contexts
- Customizing the Manager
- MODX GitHub Integrator's Guide
- Security
- Installing a Package
- Upgrading MODX
- Moving Your Site to a New Server, or to Root from Subfolder
- Media Sources
- Dashboards
-
Settings
-
Developing in MODx
- Code Standards
- Overview of MODx Development
-
Basic Development
-
Plugins
-
System Events
- OnMODXInit
- OnBeforeCacheUpdate
- OnBeforeChunkFormDelete
- OnBeforeChunkFormSave
- OnBeforeDocFormDelete
- OnBeforeDocFormSave
- OnBeforeEmptyTrash
- OnBeforeManagerLogin
- OnBeforeManagerLogout
- OnBeforeManagerPageInit
- OnBeforePluginFormDelete
- OnBeforePluginFormSave
- OnBeforeSaveWebPageCache
- OnBeforeSnipFormDelete
- OnBeforeSnipFormSave
- OnBeforeTempFormDelete
- OnBeforeTempFormSave
- OnBeforeTVFormDelete
- OnBeforeTVFormSave
- OnBeforeUserActivate
- OnBeforeUserFormDelete
- OnBeforeUserFormSave
- OnBeforeWebLogin
- OnBeforeWebLogout
- OnCacheUpdate
- OnCategoryBeforeRemove
- OnCategoryBeforeSave
- OnCategoryRemove
- OnCategorySave
- OnChunkBeforeRemove
- OnChunkBeforeSave
- OnChunkFormDelete
- OnChunkFormPrerender
- OnChunkFormRender
- OnChunkFormSave
- OnChunkRemove
- OnChunkSave
- OnContextBeforeRemove
- OnContextBeforeSave
- OnContextFormPrerender
- OnContextFormRender
- OnContextRemove
- OnContextSave
- OnDocFormDelete
- OnDocFormPrerender
- OnDocFormRender
- OnDocFormSave
- OnDocPublished
- OnDocUnPublished
- OnEmptyTrash
- OnFileManagerUpload
- OnHandleRequest
- OnInitCulture
- OnLoadWebDocument
- OnLoadWebPageCache
- OnManagerAuthentication
- OnManagerLogin
- OnManagerLoginFormPrerender
- OnManagerLoginFormRender
- OnManagerLogout
- OnManagerPageAfterRender
- OnManagerPageBeforeRender
- OnManagerPageInit
- OnPageNotFound
- OnPageUnauthorized
- OnParseDocument
- OnPluginBeforeRemove
- OnPluginBeforeSave
- OnPluginEventRemove
- OnPluginFormDelete
- OnPluginFormPrerender
- OnPluginFormRender
- OnPluginFormSave
- OnPluginRemove
- OnPluginSave
- OnPropertySetBeforeRemove
- OnPropertySetBeforeSave
- OnPropertySetRemove
- OnPropertySetSave
- OnResourceGroupBeforeRemove
- OnResourceGroupBeforeSave
- OnResourceGroupRemove
- OnResourceGroupSave
- OnRichTextBrowserInit
- OnRichTextEditorInit
- OnRichTextEditorRegister
- OnSiteRefresh
- OnSiteSettingsRender
- OnTemplateVarBeforeRemove
- OnTemplateVarBeforeSave
- OnTemplateVarRemove
- OnTemplateVarSave
- OnUserActivate
- OnUserBeforeRemove
- OnUserBeforeSave
- OnUserChangePassword
- OnUserFormDelete
- OnUserFormSave
- OnUserNotFound
- OnUserRemove
- OnUserSave
- OnWebAuthentication
- OnWebLogin
- OnWebLogout
- OnWebPageComplete
- OnWebPageInit
- OnWebPagePrerender
-
System Events
- Snippets
- xPDO
-
Plugins
-
Advanced Development
- Caching
- Custom Manager Pages
- Custom Resource Classes
- Extending modUser
- From the Command Line (CLI)
- Internationalization
- MODx Services
- Namespaces
- Package Management
- Using runProcessor
- Validating Requests: Tokens and Nonces
- Developing RESTful APIs
-
Other Development Resources
- Summary of Legacy Code Removed in 2.1
- API Reference
-
Class Reference
- modResource
- modChunk
- modUser
-
modX
- modX.addEventListener
- modX.checkForLocks
- modX.checkSession
- modX.executeProcessor
- modX.getAuthenticatedUser
- modX.getCacheManager
- modX.getChildIds
- modX.getChunk
- modX.getConfig
- modX.getContext
- modX.getEventMap
- modX.getLoginUserID
- modX.getLoginUserName
- modX.getParentIds
- modX.getParser
- modX.getPlaceholder
- modX.getRegisteredClientScripts
- modX.getRegisteredClientStartupScripts
- modX.getRequest
- modX.getResponse
- modX.getService
- modX.getSessionState
- modX.getTree
- modX.getUser
- modX.getVersionData
- modX.handleRequest
- modX.hasPermission
- modX.initialize
- modX.invokeEvent
- modX.lexicon
- modX.makeUrl
- modX.parseChunk
- modX.regClientCSS
- modX.regClientHTMLBlock
- modX.regClientScript
- modX.regClientStartupHTMLBlock
- modX.regClientStartupScript
- modX.reloadConfig
- modX.removeAllEventListener
- modX.removeEventListener
- modX.runProcessor
- modX.runSnippet
- modX.sendError
- modX.sendErrorPage
- modX.sendForward
- modX.sendRedirect
- modX.sendUnauthorizedPage
- modX.setDebug
- modX.setPlaceholder
- modX.setPlaceholders
- modX.switchContext
- modX.toPlaceholder
- modX.toPlaceholders
- modX.unsetPlaceholder
- modX.unsetPlaceholders
- Loading MODx Externally
- Reserved Parameters
-
Case Studies and Tutorials
- Developing an Extra in MODX Revolution
- Developing an Extra in MODX Revolution - MODX 2.1 and Earlier
- PHP Coding in MODx Revolution, Pt. I
- Using Custom Database Tables in your 3rd Party Components
- Creating a Blog in MODx Revolution
- Loading Pages in the Front-End via AJAX and jQuery Tabs
- Reverse Engineer xPDO Classes from Existing Database Table
- Integrating a Template into MODX Tutorial
- Quick and Easy MODX Tutorials
- Adding Custom Fields to Manager Forms
- Create a Multilingual Website with migxMultiLang
- Managing Resources and Elements via SVN
- MODX Community Information
-
Getting Started
Validating Requests: Tokens and Nonces
Created by Everett Griffiths on Nov 11, 2013.
Like many web applications, MODX signs requests to help prevent malicious requests from being processed. WordPress accomplishes this via nonces, and MODX uses tokens. By default, this behavior only takes place inside the MODX manager.
If you are working on Custom Manager Pages (CMPs), you may see values like the following that are included in the post data under a key named HTTP_MODAUTH:
$_POST['HTTP_MODAUTH'] => modx12345xxxx.9887_abcdef1234.0987654
This value is associated with a user and his current context -- this may seem strange, but consider that sessions are also associated with a "user" (even if the user is not logged in), and you can begin to understand why the relevant code is in the modUser class, but the default behavior here is that the tokens and their validation only applies to a user who is logged in.
For example, here's how you might test a form that was posted from somewhere in the manager.
$token = $modx->getOption('HTTP_MODAUTH', $_POST); if ($token != $modx->user->getUserToken($modx->context->get('key')) { // ERROR! Invalid request }
Recreating this type of security on the front-end of your site may be a bit more involved since the MODX functions are only accessible to an authenticated user.
Differences between Nonce and Token
A nonce makes a form valid for a period of time, say 30 minutes, after which it can no longer be successfully submitted. In a perfect world, you would have "single-serving" forms, where each form was uniquely signed and could only be submitted once. But that security model quickly breaks down in the real-world where you may have to use the back-button if a page load times out, so the nonces are usually configured to be valid for a window of time: the shorter the window, the more secure the nonce.
The tokens used by the MODX manager are session related, so as long as you are logged in (i.e. your session has expired), you can do what you want with your forms.
Example: let's say we load up a manager form, then we go out and run errands and come back 12 hours later. If the form had been signed using a nonce, you can submit the form, but it will probably fail because nonces usually have shorter lifetimes. If the form had been signed using a token, you can probably still submit it because your session is probably still good (sessions often have 24 hour lifetimes).
Suggest an edit to this page on GitHub (Requires GitHub account. Opens a new window/tab).