send CSRF token in a response header,

update the page's CSRF tokens with the new token from the response header, verify csrf token in ajax endpoints, initialize a session for every endpoint
2025-03-01 10:31:47 +00:00 · 2019-08-06 21:34:58 +02:00
parent 8f3489cd4a
commit da69d3d768
11 changed files with 48 additions and 13 deletions
--- a/includes/csrf.php
+++ b/includes/csrf.php
@@ -0,0 +1,11 @@
+<?php
+
+include_once('includes/functions.php');
+include_once('includes/session.php');
+
+if (csrfValidateRequest() && !CSRFValidate()) {
+  handleInvalidCSRFToken();
+}
+
+ensureCSRFSessionToken();
+header('X-CSRF-Token', $_SESSION['csrf_token']);
--- a/includes/session.php
+++ b/includes/session.php
@@ -0,0 +1,5 @@
+<?php
+
+if (session_status() == PHP_SESSION_NONE) {
+  session_start();
+}