[TomatoCart] – Apply csrf token and form validator for create account action

In this article, I will teach you how to apply CSRF token and form validator for create account action in your bootstrap template.

  • Add a hidden CSRF token in the create account form to defend against CSRF attack. System will validate the CSRF token when a request is sent to server to create a new account in the store front.
  • If the client token is different with the token saved in the server, the request will be ignored and redirect it to the create account page again.


  • Add form validation mechanism into it. If there is any error, it will be shown as a popup message so that the customers could correct it before submitting the form.


Steps to apply this plugin for your store

Note: this plugin is only available to bootstrap template. Please don’t apply it for the glass gray template.

Step 1. Download a package at https://www.dropbox.com/s/n9jwqo2z75cfev5/formsecurity.zip?dl=0.

Step 2. Unzip the package and copy admin,  includes and templates fold into TomatoCart root directory to override original files.

Step 3. Open includes/content/account/create.php to edit:

— Find following code:

global $messageStack, $osC_Database, $osC_Language, $osC_Customer;

— Replace it with:

global $messageStack, $osC_Database, $osC_Language, $osC_Customer, $osC_Session;

      if ( ! isset($_POST['token']) || ! $osC_Session->validateToken($_POST['token'])) {
        osc_redirect(osc_href_link(FILENAME_ACCOUNT, 'create', 'SSL'));

Step 4. Open templates/bootstrap/content/account/create.php to edit:

— Find following code:

<div class="submitFormButtons">
    <a href="<?php echo osc_href_link(FILENAME_ACCOUNT, null, 'SSL'); ?>" class="btn btn-small pull-left"><i class="icon-chevron-left icon-white"></i> <?php echo $osC_Language->get('button_back'); ?></a>
    <button type="submit" class="btn btn-small pull-right"><i class="icon-ok-sign icon-white"></i> <?php echo $osC_Language->get('button_continue'); ?></button>

— Add following code after it:

    <input type="hidden" name="token" value="<?=$_SESSION['_token']?>" />

Done. I strongly recommend you to apply this plugin for your store. It is significant to enhance the security of your create account page and the user experience of it.

Looking for quality TomatoCart hosting? Check out Arvixe Web Hosting

Tags: , , , | Posted under TomatoCart | RSS 2.0

Author Spotlight

Jack Yin

TomatoCart Developer & Co Founder - Arvixe Web Hosting / TomatoCart Community Liaison

Leave a Reply

Your email address will not be published. Required fields are marked *