diff options
author | Andrew Dolgov <[email protected]> | 2021-03-14 14:17:18 +0300 |
---|---|---|
committer | Andrew Dolgov <[email protected]> | 2021-03-14 14:17:18 +0300 |
commit | 1c9afba5f058adace5e005b51fc533882f9af0fa (patch) | |
tree | 99f4a228acf9f969d5411048c210338ba0fd126a /include | |
parent | 2b8b845abe7c13ecbb266613910484310cffe8e1 (diff) |
* add CSRF protection to xhr requests
* force ORM to use SQLITE WAL
* add .editorconfig
* cleanup a few things
Diffstat (limited to 'include')
-rw-r--r-- | include/common.php | 4 | ||||
-rw-r--r-- | include/sessions.php | 4 |
2 files changed, 8 insertions, 0 deletions
diff --git a/include/common.php b/include/common.php index 8f57b91..ee3921b 100644 --- a/include/common.php +++ b/include/common.php @@ -13,6 +13,10 @@ return sprintf(...$args); } + function validate_csrf($csrf_token) { + return isset($csrf_token) && hash_equals($_SESSION['csrf_token'] ?? "", $csrf_token); + } + function sql_bool_to_bool($s) { return $s && ($s !== "f" && $s !== "false"); //no-op for PDO, backwards compat for legacy layer } diff --git a/include/sessions.php b/include/sessions.php index b39a983..b4d901b 100644 --- a/include/sessions.php +++ b/include/sessions.php @@ -35,6 +35,10 @@ setcookie(session_name(), '', time()-42000, '/'); } + if (isset($_COOKIE["epube_csrf_token"])) { + setcookie("epube_csrf_token", '', time()-42000, '/'); + } + session_commit(); } } |