added form token to session to validate form submission from frontend

3 years ago · fdc6cb2cf2
parent f2450b2be5
commit fdc6cb2cf2
5 changed files with 16 additions and 1 deletions
--- a/brain/controller/DashControl.inc.php
+++ b/brain/controller/DashControl.inc.php
@ -101,6 +101,7 @@ class DashControl
                "title" => "Fipamo | Edit Page",
                "page" => (new Book("../content/pages"))->findPageById($uuid),
                "mode" => $mode,
+                "token" => Session::get("form_token"),
                "status" => Session::active(),
              ];
            } else {
--- a/brain/data/Auth.inc.php
+++ b/brain/data/Auth.inc.php
@ -53,9 +53,12 @@ class Auth
          time() + 3600,
          "localhost"
        ); //expires in an hour
+
+        $form_token = md5(uniqid(microtime(), true));
        Session::start();
        Session::set("member", $member);
        Session::set("token", $token);
+        Session::set("form_token", $form_token);

        $result = "good_login";
      } else {
--- a/brain/data/Session.inc.php
+++ b/brain/data/Session.inc.php
@ -8,6 +8,7 @@ class Session
  private static $data = [
    "member" => "",
    "token" => "",
+    "form_token" => "",
  ];
  public static function start()
  {
--- a/brain/views/dash/page-edit.twig
+++ b/brain/views/dash/page-edit.twig
@ -78,6 +78,7 @@
                {% endapply %}                
                <input id="featured-image-upload" type="file" name="featured-image-upload"/>
                <input id="post-image-upload" type="file" name="post-image-upload"/>
+                <input name="token" type="hidden" value="{{ token }}">
              </div>
            </div>
          </div>
--- a/public/assets/scripts/dash.min.js
+++ b/public/assets/scripts/dash.min.js