Skip to content
Snippets Groups Projects
Commit 1a4f1df5 authored by Peter Rotich's avatar Peter Rotich
Browse files

Add CSRF protection to client's forms

parent c70b987f
Branches
Tags
No related merge requests found
...@@ -51,8 +51,17 @@ if($_SESSION['_client']['userID'] && $_SESSION['_client']['key']) ...@@ -51,8 +51,17 @@ if($_SESSION['_client']['userID'] && $_SESSION['_client']['key'])
if($thisclient && $thisclient->getId() && $thisclient->isValid()){ if($thisclient && $thisclient->getId() && $thisclient->isValid()){
$thisclient->refreshSession(); $thisclient->refreshSession();
} }
/******* CSRF Protectin *************/
// Enforce CSRF protection for POSTS
if ($_POST && !$ost->checkCSRFToken()) {
@header('Location: index.php');
//just incase redirect fails
die('Action denied (400)!');
}
/* Client specific defaults */ /* Client specific defaults */
define('PAGE_LIMIT',DEFAULT_PAGE_LIMIT); define('PAGE_LIMIT', DEFAULT_PAGE_LIMIT);
$nav = new UserNav($thisclient, 'home'); $nav = new UserNav($thisclient, 'home');
?> ?>
...@@ -7,6 +7,7 @@ $ticketid=Format::input($_POST['lticket']?$_POST['lticket']:$_GET['t']); ...@@ -7,6 +7,7 @@ $ticketid=Format::input($_POST['lticket']?$_POST['lticket']:$_GET['t']);
<h1>Check Ticket Status</h1> <h1>Check Ticket Status</h1>
<p>To view the status of a ticket, provide us with the login details below.</p> <p>To view the status of a ticket, provide us with the login details below.</p>
<form action="login.php" method="post" id="clientLogin"> <form action="login.php" method="post" id="clientLogin">
<?php csrf_token(); ?>
<strong>Authentication Required</strong> <strong>Authentication Required</strong>
<div> <div>
<label for="email">E-Mail Address:</label> <label for="email">E-Mail Address:</label>
......
...@@ -13,6 +13,7 @@ $info=($_POST && $errors)?Format::htmlchars($_POST):$info; ...@@ -13,6 +13,7 @@ $info=($_POST && $errors)?Format::htmlchars($_POST):$info;
<h1>Open a New Ticket</h1> <h1>Open a New Ticket</h1>
<p>Please fill in the form below to open a new ticket.</p> <p>Please fill in the form below to open a new ticket.</p>
<form id="ticketForm" method="post" action="open.php" enctype="multipart/form-data"> <form id="ticketForm" method="post" action="open.php" enctype="multipart/form-data">
<?php csrf_token(); ?>
<input type="hidden" name="a" value="open"> <input type="hidden" name="a" value="open">
<div> <div>
<label for="name" class="required">Full Name:</label> <label for="name" class="required">Full Name:</label>
......
...@@ -91,6 +91,7 @@ if($ticket->getThreadCount() && ($thread=$ticket->getClientThread())) { ...@@ -91,6 +91,7 @@ if($ticket->getThreadCount() && ($thread=$ticket->getClientThread())) {
<div id="msg_warning"><?php echo $warn; ?></div> <div id="msg_warning"><?php echo $warn; ?></div>
<?php } ?> <?php } ?>
<form id="reply" action="tickets.php?id=<?php echo $ticket->getExtId(); ?>#reply" name="reply" method="post" enctype="multipart/form-data"> <form id="reply" action="tickets.php?id=<?php echo $ticket->getExtId(); ?>#reply" name="reply" method="post" enctype="multipart/form-data">
<?php csrf_token(); ?>
<h2>Post a Reply</h2> <h2>Post a Reply</h2>
<input type="hidden" name="id" value="<?php echo $ticket->getExtId(); ?>"> <input type="hidden" name="id" value="<?php echo $ticket->getExtId(); ?>">
<input type="hidden" name="a" value="reply"> <input type="hidden" name="a" value="reply">
......
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment