Fix CSRF token handling: add session to index.php, fix cookie_secure for HTTPS

2026-02-03 20:51:45 +00:00
parent 72c9b4e9b4
commit 165c418c75
4 changed files with 15 additions and 3 deletions
--- a/contact-handler.php
+++ b/contact-handler.php
@@ -1,5 +1,8 @@
 <?php
 // Enhanced Contact Form Handler with Security
+ini_set('session.cookie_samesite', 'Lax');
+ini_set('session.cookie_httponly', '1');
+ini_set('session.cookie_secure', '1');
 session_start();

 // Form handler restored - temporary fix removed
--- a/index.php
+++ b/index.php
@@ -1,5 +1,13 @@
 <?php
 // Enhanced security headers
+// Session for CSRF token
+ini_set('session.cookie_samesite', 'Lax');
+ini_set('session.cookie_httponly', '1');
+ini_set('session.cookie_secure', '1');
+session_start();
+if (!isset($_SESSION['csrf_token'])) {
+    $_SESSION['csrf_token'] = bin2hex(random_bytes(32));
+}
 header('X-Content-Type-Options: nosniff');
 header('X-Frame-Options: DENY');
 header('X-XSS-Protection: 1; mode=block');
@@ -1105,7 +1113,8 @@ $twitter_card_image = "https://ukdataservices.co.uk/assets/images/ukds-main-logo
                </div>
                
                <div class="contact-form">
-                    <form action="contact-handler.php" method="POST" class="form" novalidate>
+                    <form action="contact-handler.php" method="POST" class="form" novalidate>
+                        <input type="hidden" name="csrf_token" value="<?php echo htmlspecialchars($_SESSION['csrf_token']); ?>">
                        <div class="form-group">
                            <label for="name">Contact Name *</label>
                            <input type="text" id="name" name="name" required aria-required="true" aria-describedby="name-error" autocomplete="name">
--- a/quote-handler.php
+++ b/quote-handler.php
@@ -3,7 +3,7 @@
 // Ensure session cookie is available for AJAX requests
 ini_set('session.cookie_samesite', 'Lax');
 ini_set('session.cookie_httponly', '1');
-ini_set('session.cookie_secure', '0'); // Set to '1' if using HTTPS
+ini_set('session.cookie_secure', '1'); // Set to '1' if using HTTPS
 session_start();

 // Security headers
--- a/quote.php
+++ b/quote.php
@@ -2,7 +2,7 @@
 // Start session before any output
 ini_set('session.cookie_samesite', 'Lax');
 ini_set('session.cookie_httponly', '1');
-ini_set('session.cookie_secure', '0'); // Set to '1' if using HTTPS
+ini_set('session.cookie_secure', '1'); // Set to '1' if using HTTPS
 session_start();

 // Enhanced security headers