Added more security flags to prevent XSS attack from cookie.

2024-10-09 15:56:47 +01:00
parent c08c069479
commit 96365eef2a
4 changed files with 45 additions and 1 deletions
--- a/init.php
+++ b/init.php
@ -368,3 +368,34 @@ function isTableExist($table)
    }
 }

+function generateCsrfToken($expiryTime = 3600)
+{
+    $token = bin2hex(random_bytes(32));
+    $_SESSION['csrf_token'] = $token;
+    $_SESSION['csrf_token_time'] = time();
+    $_SESSION['csrf_token_expiry'] = $expiryTime;
+
+    return $token;
+}
+
+function validateCsrfToken($token)
+{
+    if (!isset($_SESSION['csrf_token'])) {
+        _log(Lang::T("CSRF token not set in session."));
+        return false;
+    }
+
+    if (is_null($token)) {
+        _log(Lang::T("Token passed is null."));
+        return false;
+    }
+
+    $tokenAge = time() - $_SESSION['csrf_token_time'];
+    if ($tokenAge > $_SESSION['csrf_token_expiry']) {
+        _log(Lang::T("CSRF token has expired."));
+        return false;
+    }
+
+
+    return hash_equals($_SESSION['csrf_token'], $token);
+}