I am in the process of implementing a CSRFProtector (mebjas CSRF-Protector-PHP) referenced on the OWASP website.
I followed the instructions for this library. In all PHP files, I have included the csrfprotector.php file and and called csrfProtector::init(). For JavaScript, I have included the csrfprotector.js file once within the HTML of the page and called
window.addEventListener("DOMContentLoaded", function() {
csrfprotector_init();
}
When I submit a form, I have found that the csrfprotector fails to verify that the tokens are the same. I have modified the CSRF to print out the SESSION and POST variables at this point, so when I visit the page, the following is echoed by the PHP via init() -> authorisePost().
post: {"anticsrf":false, ...}
session: []
403 Access Forbidden by CSRFProtector!
I observe using developer tools no anticsrf token has been added to my cookies.
Since I was wondering why tokens weren't being created, I modified the script to not run authorisePost but instead run refreshToken() and I get tokens each time, but they are different.
post: {"anticsrf":"5ec0ae33dc", ...}
session: {"anticsrf":"cbf30a7d6b", ...}
403 Access Forbidden by CSRFProtector!
I observe using developer tools that the anticsrf token in Cookies is 14dd3db17f in this case.
Is there something that I can do to round down where my problem is coming from, or anything I have missed? Thanks.
