pfreitag
commented
1 month ago @burncitiesburn good find, this appears to only apply to Adobe ColdFusion, and not other engines such as Lucee, so it would be worth noting that as well.
Open burncitiesburn opened 1 month ago
pfreitag
commented
1 month ago @burncitiesburn good find, this appears to only apply to Adobe ColdFusion, and not other engines such as Lucee, so it would be worth noting that as well.
burncitiesburn
commented
1 month ago @pfreitag I've updated it to read "For Adobe Coldfusion, only the first 40 characters of the passed in token are used to verify."
csrfVerifyToken only checks the first 40 characters of the token passed in.
This should be included in the documentation as it means something like
csrfToken = 'ABC123ABCABC123ABCABC123ABCABC123ABCDEFG'&'123'
Will still verify if the generated token from generateCSRFToken is 'ABC123ABCABC123ABCABC123ABCABC123ABCDEFG'