Add CSRF protection to client's forms

client.inc.php

@@ -51,8 +51,17 @@ if($_SESSION['_client']['userID'] && $_SESSION['_client']['key'])
 if($thisclient && $thisclient->getId() && $thisclient->isValid()){
      $thisclient->refreshSession();
 }
+
+/******* CSRF Protectin *************/
+// Enforce CSRF protection for POSTS
+if ($_POST  && !$ost->checkCSRFToken()) {
+    @header('Location: index.php');
+    //just incase redirect fails
+    die('Action denied (400)!');
+}
+
 /* Client specific defaults */
-define('PAGE_LIMIT',DEFAULT_PAGE_LIMIT);
+define('PAGE_LIMIT', DEFAULT_PAGE_LIMIT);
 
 $nav = new UserNav($thisclient, 'home');
 ?>

include/client/login.inc.php

@@ -7,6 +7,7 @@ $ticketid=Format::input($_POST['lticket']?$_POST['lticket']:$_GET['t']);
 <h1>Check Ticket Status</h1>
 <p>To view the status of a ticket, provide us with the login details below.</p>
 <form action="login.php" method="post" id="clientLogin">
+    <?php csrf_token(); ?>
     <strong>Authentication Required</strong>
     <div>
         <label for="email">E-Mail Address:</label>

include/client/open.inc.php

@@ -13,6 +13,7 @@ $info=($_POST && $errors)?Format::htmlchars($_POST):$info;
 <h1>Open a New Ticket</h1>
 <p>Please fill in the form below to open a new ticket.</p>
 <form id="ticketForm" method="post" action="open.php" enctype="multipart/form-data">
+    <?php csrf_token(); ?>
     <input type="hidden" name="a" value="open">
     <div>
         <label for="name" class="required">Full Name:</label>

include/client/view.inc.php

@@ -91,6 +91,7 @@ if($ticket->getThreadCount() && ($thread=$ticket->getClientThread())) {
     <div id="msg_warning"><?php echo $warn; ?></div>
 <?php } ?>
 <form id="reply" action="tickets.php?id=<?php echo $ticket->getExtId(); ?>#reply" name="reply" method="post" enctype="multipart/form-data">
+    <?php csrf_token(); ?>
     <h2>Post a Reply</h2>
     <input type="hidden" name="id" value="<?php echo $ticket->getExtId(); ?>">
     <input type="hidden" name="a" value="reply">