MAPG-133 add basic CSRF protection to server side

2020-06-13 22:38:30 +02:00 · 2020-06-13 22:38:30 +02:00 · 8e0c1ce08b
commit 8e0c1ce08b
parent 9e196ebf33
2 changed files with 10 additions and 0 deletions
--- a/public/index.php
+++ b/public/index.php
@ -26,6 +26,12 @@ if ($match !== null) {
        $authorized = true;
    }

+    if ($method === 'post' && $request->post('anti_csrf_token') !== $request->session()->get('anti_csrf_token')) {
+        header('Content-Type: text/html; charset=UTF-8', true, 403);
+        echo json_encode(['error' => 'no_valid_anti_csrf_token']);
+        return;
+    }
+
    if ($authorized) {
        $response = call_user_func([$controller, $handler[1]]);

--- a/web.php
+++ b/web.php
@ -38,3 +38,7 @@ session_start([
    'cookie_httponly' => true,
    'cookie_samesite' => 'Lax'
 ]);
+
+if (!isset($_SESSION['anti_csrf_token'])) {
+    $_SESSION['anti_csrf_token'] = hash('sha256', random_bytes(10) . microtime());
+}