CSRF Token

Upon login, issue the user a CSRF token (in their session). This token should be provided when completing sensitive actions (e.g. deleting companies/clients, changing their password, etc.) Ref: https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html#synchronizer-token-pattern
2026-02-28 10:54:52 +00:00 · 2022-05-01 18:43:53 +01:00
parent eee7c0b204
commit 61777116a9
9 changed files with 42 additions and 4 deletions
--- a/user_edit_modal.php
+++ b/user_edit_modal.php
@@ -8,6 +8,7 @@
        </button>
      </div>
      <form action="post.php" method="post" enctype="multipart/form-data" autocomplete="off">
+        <input type="hidden" name="csrf_token" value="<?php echo $_SESSION['csrf_token'] ?>">
        <input type="hidden" name="user_id" value="<?php echo $user_id; ?>">
        <input type="hidden" name="existing_file_name" value="<?php echo "$user_avatar"; ?>">
        <div class="modal-body bg-white">