“Magic Tokens” are used by Movable Type as a security precaution.
One common technique used by hackers is called a “replay attack” where they intercept a request from a session and are then able to resend it after making slight modifications to it. Magic tokens, which contain an encrypted timestamp, can be transmitted with a request and then subsequently verified to make these types of attacks more difficult.
Developers building plugins for Movable Type are strongly encouraged to generate and then validate a token with every form submission. The following are the methods you will need to familiarize yourself with:
Creates a new “magic token” string that can be embedded into a form as an input parameter. It should be used in conjunction with
validate_magic to ensure that the
Checks for a magic_token HTTP parameter and validates it for the current author. If it is invalid, an error message is assigned to the application and a false result is returned. If it is valid, it returns
return unless $app->validate_magic;
To populate a form with a valid magic token, place the token value in a hidden form field:
<input type="hidden" name="magic_token" value="<mt:var name=MAGIC_TOKEN>" />
If you’re protecting a hyperlink, add the token to the query parameters for that link.