Force global secure request has been activated. CSRF-Token on all for…

…ms has been implemented.
khodakhah · Oct 2, 2021 · 18d8aad · 18d8aad
1 parent 858590a
commit 18d8aad
Show file tree

Hide file tree

Showing 3 changed files with 22 additions and 7 deletions.
diff --git a/nodcms-core/Config/App.php b/nodcms-core/Config/App.php
@@ -124,7 +124,7 @@ class App extends BaseConfig
 	| secure, the user will be redirected to a secure version of the page
 	| and the HTTP Strict Transport Security header will be set.
 	*/
-	public $forceGlobalSecureRequests = false;
+	public $forceGlobalSecureRequests = true;
 
 	/*
 	|--------------------------------------------------------------------------
@@ -182,7 +182,7 @@ class App extends BaseConfig
 	|
 	*/
 	public $sessionDriver            = 'CodeIgniter\Session\Handlers\FileHandler';
-	public $sessionCookieName        = 'ci_session';
+	public $sessionCookieName        = 'sc';
 	public $sessionExpiration        = 7200;
 	public $sessionSavePath          = WRITEPATH . 'session';
 	public $sessionMatchIP           = false;
@@ -204,7 +204,7 @@ class App extends BaseConfig
 	|       'cookie_httponly') will also affect sessions.
 	|
 	*/
-	public $cookiePrefix   = '';
+	public $cookiePrefix   = 'nodcms_';
 	public $cookieDomain   = '';
 	public $cookiePath     = '/';
 	public $cookieSecure   = false;
@@ -243,11 +243,11 @@ class App extends BaseConfig
 	| CSRFRegenerate  = Regenerate token on every submission
 	| CSRFRedirect    = Redirect to previous page with error on failure
 	*/
-	public $CSRFTokenName  = 'csrf_test_name';
+	public $CSRFTokenName  = 'securekey';
 	public $CSRFHeaderName = 'X-CSRF-TOKEN';
-	public $CSRFCookieName = 'csrf_cookie_name';
+	public $CSRFCookieName = 'securetoken';
 	public $CSRFExpire     = 7200;
-	public $CSRFRegenerate = true;
+	public $CSRFRegenerate = false;
 	public $CSRFRedirect   = true;
 
 	/*

diff --git a/nodcms-core/Config/Filters.php b/nodcms-core/Config/Filters.php
@@ -20,7 +20,7 @@ class Filters extends BaseConfig
 		'before' => [
             'installedVerification',
 			//'honeypot'
-			// 'csrf',
+			 'csrf',
 		],
 		'after'  => [
 			'toolbar',

diff --git a/nodcms-core/Libraries/Form.php b/nodcms-core/Libraries/Form.php
@@ -129,6 +129,15 @@ function __construct($CI)
 
     function config($inputs, $action = '', $method = 'post', $type = 'ajax', $notes = array())
     {
+        // Add CSRF token on SSL Protocol requests
+        if(SSL_PROTOCOL) {
+            $inputs[] = [
+                'field'=>csrf_token(),
+                'type'=>"hidden",
+                'default'=>csrf_hash(),
+                'rules'=>"",
+            ];
+        }
         $this->data['inputs'] = $inputs;
         $this->data['action'] = $action;
         $this->data['back_url'] = $action;
@@ -303,6 +312,12 @@ function getPost($url = null)
             if($url != null)
                 $this->data['back_url'] = $url;
 
+            if(boolval(SSL_PROTOCOL) != Services::request()->isSecure()) {
+                $response = Services::quickResponse();
+                $this->errorResponse = $response->getError("Data post was not secure!", $this->data['back_url']);
+                return false;
+            }
+
             // Check form validation
             $validation->setRules(array_combine(array_column($config, 'field'), $config));