jilo-web/app/includes/csrf_middleware.php

<?php

require_once __DIR__ . '/../helpers/security.php';

function applyCsrfMiddleware() {
    $security = SecurityHelper::getInstance();

    // Skip CSRF check for GET requests
    if ($_SERVER['REQUEST_METHOD'] === 'GET') {
        return true;
    }

    // Skip CSRF check for initial login and registration attempts
    if ($_SERVER['REQUEST_METHOD'] === 'POST' && 
        isset($_GET['page']) && 
        in_array($_GET['page'], ['login', 'register']) && 
        !isset($_SESSION['username'])) {
        return true;
    }

    // Check CSRF token for all other POST requests
    if ($_SERVER['REQUEST_METHOD'] === 'POST') {
        $token = $_POST['csrf_token'] ?? '';
        if (!$security->verifyCsrfToken($token)) {
            // Log CSRF attempt
            $logMessage = sprintf(
                "CSRF attempt detected - IP: %s, Page: %s, User: %s",
                $_SERVER['REMOTE_ADDR'],
                $_GET['page'] ?? 'unknown',
                $_SESSION['username'] ?? 'anonymous'
            );
            $logObject->insertLog(0, $logMessage, 'system');

            // Return error message
            http_response_code(403);
            die('Invalid CSRF token. Please try again.');
        }
    }

    return true;
}
Implements security helper and CSRF middleware 2025-01-30 16:47:13 +00:00			`<?php`

Reorganizes helper include files 2025-02-17 14:50:57 +00:00			`require_once __DIR__ . '/../helpers/security.php';`
Implements security helper and CSRF middleware 2025-01-30 16:47:13 +00:00
Adds tests for middleware 2025-02-19 13:31:01 +00:00			`function applyCsrfMiddleware() {`
Implements security helper and CSRF middleware 2025-01-30 16:47:13 +00:00			`$security = SecurityHelper::getInstance();`

			`// Skip CSRF check for GET requests`
			`if ($_SERVER['REQUEST_METHOD'] === 'GET') {`
			`return true;`
			`}`

Fixes CSRF 2025-02-23 15:48:02 +00:00			`// Skip CSRF check for initial login and registration attempts`
Implements security helper and CSRF middleware 2025-01-30 16:47:13 +00:00			`if ($_SERVER['REQUEST_METHOD'] === 'POST' &&`
Fixes CSRF 2025-02-23 15:48:02 +00:00			`isset($_GET['page']) &&`
			`in_array($_GET['page'], ['login', 'register']) &&`
Implements security helper and CSRF middleware 2025-01-30 16:47:13 +00:00			`!isset($_SESSION['username'])) {`
			`return true;`
			`}`

			`// Check CSRF token for all other POST requests`
			`if ($_SERVER['REQUEST_METHOD'] === 'POST') {`
			`$token = $_POST['csrf_token'] ?? '';`
			`if (!$security->verifyCsrfToken($token)) {`
			`// Log CSRF attempt`
Adds proper logging to CSRF middleware 2025-02-23 11:51:36 +00:00			`$logMessage = sprintf(`
			`"CSRF attempt detected - IP: %s, Page: %s, User: %s",`
			`$_SERVER['REMOTE_ADDR'],`
			`$_GET['page'] ?? 'unknown',`
			`$_SESSION['username'] ?? 'anonymous'`
			`);`
Fixes CSRF 2025-02-23 15:48:02 +00:00			`$logObject->insertLog(0, $logMessage, 'system');`
Implements security helper and CSRF middleware 2025-01-30 16:47:13 +00:00
			`// Return error message`
			`http_response_code(403);`
			`die('Invalid CSRF token. Please try again.');`
			`}`
			`}`

			`return true;`
			`}`