From 6c5d1e65be87fde936931915c1b5814e9ff6e509 Mon Sep 17 00:00:00 2001
From: Peter Rotich <peter@osticket.com>
Date: Fri, 20 Jul 2012 12:22:26 -0400
Subject: [PATCH] Add csrf token to header via meta tag - used for ajax calls

---
 scp/staff.inc.php | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/scp/staff.inc.php b/scp/staff.inc.php
index c00913607..5dcf60450 100644
--- a/scp/staff.inc.php
+++ b/scp/staff.inc.php
@@ -81,8 +81,15 @@ if(!$thisstaff->isAdmin()) {
 //Keep the session activity alive
 $thisstaff->refreshSession();
 
+/******* CSRF Protectin *************/
 // Enforce CSRF protection for POSTS
-if ($_POST) csrf_ensure_cookie();
+if ($_POST  && !$ost->checkCSRFToken()) {
+    Http::response(400, 'Valid CSRF Token Required');
+    exit;
+}
+
+//Add token to the header - used on ajax calls [DO NOT CHANGE THE NAME] 
+$ost->addExtraHeader('<meta name="csrf_token" content="'.$ost->getCSRFToken().'" />');
 
 /******* SET STAFF DEFAULTS **********/
 //Set staff's timezone offset.
-- 
GitLab