From 165c418c75899a112a5ae964e5e2a82617d30a11 Mon Sep 17 00:00:00 2001
From: root <root@vm6.template>
Date: Tue, 3 Feb 2026 20:51:45 +0000
Subject: [PATCH] Fix CSRF token handling: add session to index.php, fix
 cookie_secure for HTTPS

---
 contact-handler.php |  3 +++
 index.php           | 11 ++++++++++-
 quote-handler.php   |  2 +-
 quote.php           |  2 +-
 4 files changed, 15 insertions(+), 3 deletions(-)

diff --git a/contact-handler.php b/contact-handler.php
index 90fab79..b836d4b 100644
--- a/contact-handler.php
+++ b/contact-handler.php
@@ -1,5 +1,8 @@
 <?php
 // Enhanced Contact Form Handler with Security
+ini_set('session.cookie_samesite', 'Lax');
+ini_set('session.cookie_httponly', '1');
+ini_set('session.cookie_secure', '1');
 session_start();
 
 // Form handler restored - temporary fix removed
diff --git a/index.php b/index.php
index 47778b4..3846086 100644
--- a/index.php
+++ b/index.php
@@ -1,5 +1,13 @@
 <?php
 // Enhanced security headers
+// Session for CSRF token
+ini_set('session.cookie_samesite', 'Lax');
+ini_set('session.cookie_httponly', '1');
+ini_set('session.cookie_secure', '1');
+session_start();
+if (!isset($_SESSION['csrf_token'])) {
+    $_SESSION['csrf_token'] = bin2hex(random_bytes(32));
+}
 header('X-Content-Type-Options: nosniff');
 header('X-Frame-Options: DENY');
 header('X-XSS-Protection: 1; mode=block');
@@ -1105,7 +1113,8 @@ $twitter_card_image = "https://ukdataservices.co.uk/assets/images/ukds-main-logo
                 </div>
                 
                 <div class="contact-form">
-                    <form action="contact-handler.php" method="POST" class="form" novalidate>
+                    <form action="contact-handler.php" method="POST" class="form" novalidate>
+                        <input type="hidden" name="csrf_token" value="<?php echo htmlspecialchars($_SESSION['csrf_token']); ?>">
                         <div class="form-group">
                             <label for="name">Contact Name *</label>
                             <input type="text" id="name" name="name" required aria-required="true" aria-describedby="name-error" autocomplete="name">
diff --git a/quote-handler.php b/quote-handler.php
index 757e96c..c5f753d 100644
--- a/quote-handler.php
+++ b/quote-handler.php
@@ -3,7 +3,7 @@
 // Ensure session cookie is available for AJAX requests
 ini_set('session.cookie_samesite', 'Lax');
 ini_set('session.cookie_httponly', '1');
-ini_set('session.cookie_secure', '0'); // Set to '1' if using HTTPS
+ini_set('session.cookie_secure', '1'); // Set to '1' if using HTTPS
 session_start();
 
 // Security headers
diff --git a/quote.php b/quote.php
index 62a1ee1..237a79f 100644
--- a/quote.php
+++ b/quote.php
@@ -2,7 +2,7 @@
 // Start session before any output
 ini_set('session.cookie_samesite', 'Lax');
 ini_set('session.cookie_httponly', '1');
-ini_set('session.cookie_secure', '0'); // Set to '1' if using HTTPS
+ini_set('session.cookie_secure', '1'); // Set to '1' if using HTTPS
 session_start();
 
 // Enhanced security headers