Login token

Jump to: navigation, search

Login token is a security related feature introduced in Moodle versions 3.1.15, 3.3.9, 3.4.6, 3.5.3 and 3.6.0. It helps to protect against a range of vulnerabilities, such as stealing other user's session, via the login form.

Starting from the said versions, all the login forms must include a new login token field and submit it together with the user's username and password. The value for the field must be obtained via the \core\session\manager::get_login_token() call. All attempts to log in without the login token provided will be rejected.

Required changes in custom login forms

Themes

If you use a custom theme, chances are that it uses its own customized template / renderer method to generate the login form. Such themes must be updated to support the new logintoken feature.

Most modern themes - such as those based on Boost or Clean - render the login form via a Mustache template from the given templatable \core_auth\output\login form instance. When the form is exported for the template, it returns the login token as a property of the rendering context and can be used directly in the theme. You just need to modify your theme's core/loginform template (Moodle 3.4 and later) or core/login (Moodle 3.3 and earlier) template and render the hidden field logintoken in the login form:

<input type="hidden" name="logintoken" value="{{logintoken}}">

Note: Your theme probably also provides the "Log in as a guest" button. You will have to add the token there, too.

Custom HTML login forms

If your plugin generates the HTML for the login form itself, you need to add the logintoken field to the form submitted back to Moodle.

<input type="hidden" name="logintoken" value="<?php echo s(\core\session\manager::get_login_token()); ?>" />

Sites with alternate login URL set

If the site has Alternate login URL ($CFG->alternateloginurl) set, the login token feature is implicitly disabled and no token validation happens. There is no general way to pass the expected token value to the external system that provides the login form.

Switching the login token protection off

The login token feature can be explicitly disabled by the administrator by setting a flag in the main config.php file.

This is strongly discouraged. Make sure you understand what your are doing and that you have a real reason to do that. The login token feature has been implemented for good reasons and there are known ways to exploit unprotected login forms.

// Do not do this unless you understand all the consequences.
$CFG->disablelogintoken = true;