CSRF Token

Upon login, issue the user a CSRF token (in their session). This token should be provided when completing sensitive actions (e.g. deleting companies/clients, changing their password, etc.)

Ref: https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html#synchronizer-token-pattern

functions.php

@@ -405,4 +405,18 @@ function getDomainExpirationDate($name){
   return '0000-00-00';
 }
 
+// Cross-Site Request Forgery check for sensitive functions
+// Validates the CSRF token provided matches the one in the users session
+function validateCSRFToken($token){
+  if(hash_equals($token, $_SESSION['csrf_token'])){
+    return true;
+  }
+  else{
+    $_SESSION['alert_type'] = "warning";
+    $_SESSION['alert_message'] = "CSRF token verification failed. Try again, or log out to refresh your token.";
+    header("Location: index.php");
+    exit();
+  }
+}
+
 ?>