Add csrf tokens to all sensitive forms

2019-01-27 17:40:12 +01:00
parent cf83b9901a
commit 9c5294e64e
7 changed files with 79 additions and 48 deletions
--- a/var/www/common.php
+++ b/var/www/common.php
@ -248,6 +248,9 @@ function send_captcha() {

 function check_login(){
 	global $db;
+	if(empty($_SESSION['csrf_token']){
+		$_SESSION['csrf_token']=sha1(uniqid());
+	}
 	if(empty($_SESSION['hosting_username'])){
 		header('Location: login.php');
 		session_destroy();
@ -506,3 +509,10 @@ function add_user_db(PDO $db, int $user_id) : ?string {
 	$db->exec('FLUSH PRIVILEGES;');
 	return $mysql_db;
 }
+
+function check_csrf_error(){
+	if(empty($_POST['csrf_token']) || $_POST['csrf_token'] !== $_SESSION['csrf_token']){
+		return 'Invalid CSRF token, please try again.';
+	}
+	return false;
+}