CSRF Token

Upon login, issue the user a CSRF token (in their session). This token should be provided when completing sensitive actions (e.g. deleting companies/clients, changing their password, etc.) Ref: https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html#synchronizer-token-pattern
2026-02-28 10:54:52 +00:00 · 2022-05-01 18:43:53 +01:00
parent eee7c0b204
commit 61777116a9
9 changed files with 42 additions and 4 deletions
--- a/login.php
+++ b/login.php
@@ -63,6 +63,9 @@ if(isset($_POST['login'])){
            $user_name = $row['user_name'];
            $user_id = $row['user_id'];

+            // CSRF Token
+            $_SESSION['csrf_token'] = keygen();
+
            // Setup encryption session key
            if (isset($row['user_specific_encryption_ciphertext']) && $row['user_role'] > 1) {
                $user_encryption_ciphertext = $row['user_specific_encryption_ciphertext'];