ensure consistent session behavior

2025-04-11 22:36:43 -04:00
parent 8553efabc1
commit b06c49f213
16 changed files with 49 additions and 62 deletions
--- a/totp_setup.php
+++ b/totp_setup.php
@@ -14,10 +14,11 @@ if (!isset($_SESSION['authenticated']) || $_SESSION['authenticated'] !== true) {
    exit;
 }

-// Verify CSRF token provided as a GET parameter.
-if (!isset($_GET['csrf']) || $_GET['csrf'] !== $_SESSION['csrf_token']) {
-    http_response_code(403);
-    exit;
+$headers = array_change_key_case(getallheaders(), CASE_LOWER);
+$csrfHeader = isset($headers['x-csrf-token']) ? trim($headers['x-csrf-token']) : '';
+
+if (!isset($_SESSION['csrf_token']) || $csrfHeader !== $_SESSION['csrf_token']) {
+    respond('error', 403, 'Invalid CSRF token');
 }

 $username = $_SESSION['username'] ?? '';