esoko/mapguesser
esoko/mapguesser
1
1
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 18 Wiki Activity

MAPG-133 add basic CSRF protection to server side

Browse Source
This commit is contained in:
Bence Pőcze 2020-06-13 22:38:30 +02:00
parent 9e196ebf33
commit 8e0c1ce08b
2 changed files with 10 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
public/index.php
View File

@ -26,6 +26,12 @@ if ($match !== null) {
$authorized = true; $authorized = true;
} }
if ($method === 'post' && $request->post('anti_csrf_token') !== $request->session()->get('anti_csrf_token')) {
header('Content-Type: text/html; charset=UTF-8', true, 403);
echo json_encode(['error' => 'no_valid_anti_csrf_token']);
return;
}
if ($authorized) { if ($authorized) {
$response = call_user_func([$controller, $handler[1]]); $response = call_user_func([$controller, $handler[1]]);

4
web.php
View File

@ -38,3 +38,7 @@ session_start([
'cookie_httponly' => true, 'cookie_httponly' => true,
'cookie_samesite' => 'Lax' 'cookie_samesite' => 'Lax'
]); ]);
if (!isset($_SESSION['anti_csrf_token'])) {
$_SESSION['anti_csrf_token'] = hash('sha256', random_bytes(10) . microtime());
}