lindeas
/
jilo-web
1
1
Fork 0
Code Issues Pull Requests Packages Projects Releases 5 Wiki Activity

Adds proper logging to CSRF middleware

main
Yasen Pramatarov 2025-02-23 13:51:36 +02:00
parent c61f42792f
commit 34779bb891
2 changed files with 10 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
app/includes/csrf_middleware.php
View File

@ -3,6 +3,7 @@
require_once __DIR__ . '/../helpers/security.php'; require_once __DIR__ . '/../helpers/security.php';
function applyCsrfMiddleware() { function applyCsrfMiddleware() {
global $dbWeb, $logObject;
$security = SecurityHelper::getInstance(); $security = SecurityHelper::getInstance();
// Skip CSRF check for GET requests // Skip CSRF check for GET requests
@ -22,9 +23,13 @@ function applyCsrfMiddleware() {
$token = $_POST['csrf_token'] ?? ''; $token = $_POST['csrf_token'] ?? '';
if (!$security->verifyCsrfToken($token)) { if (!$security->verifyCsrfToken($token)) {
// Log CSRF attempt // Log CSRF attempt
error_log("CSRF attempt detected from IP: " . $_SERVER['REMOTE_ADDR']); $logMessage = sprintf(
//FIXME log class not loaded "CSRF attempt detected - IP: %s, Page: %s, User: %s",
// $logObject->insertLog(0, "CSRF attempt detected from IP: " . $_SERVER['REMOTE_ADDR'], 'system'); $_SERVER['REMOTE_ADDR'],
$_GET['page'] ?? 'unknown',
$_SESSION['username'] ?? 'anonymous'
);
$logObject->insertLog(0, $logMessage);
// Return error message // Return error message
http_response_code(403); http_response_code(403);