├── .gitignore
├── LICENSE.txt
├── NEWS.txt
├── README.txt
├── csrf-magic.js
├── csrf-magic.php
├── js-test
├── all.php
├── common.php
├── dojo.php
├── ext.php
├── jquery.php
├── mootools.php
└── prototype.php
└── test.php
/.gitignore:
--------------------------------------------------------------------------------
1 | /js-test/*.js
2 | /js-test/*.bak
3 | /js-test/*/
4 | /csrf-secret.php
5 |
--------------------------------------------------------------------------------
/LICENSE.txt:
--------------------------------------------------------------------------------
1 | Copyright (c) 2008-2013, Edward Z. Yang
2 | All rights reserved.
3 |
4 | Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:
5 |
6 | Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.
7 | Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.
8 |
9 | THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
10 |
--------------------------------------------------------------------------------
/NEWS.txt:
--------------------------------------------------------------------------------
1 |
2 | [[ news ]]
3 |
4 | 1.0.4 released 2013-07-17
5 |
6 | [SECURITY FIXES]
7 |
8 | - When secret key was not explicitly set, it was not being used
9 | by the csrf_hash() function. Thanks sparticvs for reporting.
10 |
11 | [FEATURES]
12 |
13 | - The default 'CSRF check failed' page now offers a handy 'Try
14 | again' button, which resubmits the form.
15 |
16 | [BUG FIXES]
17 |
18 | - The fix for 1.0.3 inadvertantly turned off XMLHttpRequest
19 | overloading for all browsers; it has now been fixed to only
20 | apply to IE.
21 |
22 | 1.0.3 released 2012-01-31
23 |
24 | [BUG FIXES]
25 |
26 | - Internet Explorer 8 adds support for XMLHttpRequest.prototype,
27 | but this support is broken for method overloading. We
28 | explicitly disable JavaScript overloading for Internet Explorer.
29 | Thanks Kelly Lu for reporting.
30 |
31 | - A global declaration was omitted, resulting in a variable
32 | not being properly introduced in PHP 5.3. Thanks Whitney Beck for
33 | reporting.
34 |
35 | 1.0.2 released 2009-03-08
36 |
37 | [SECURITY FIXES]
38 |
39 | - Due to a typo, csrf-magic accidentally treated the secret key
40 | as always present. This means that there was a possible CSRF
41 | attack against users without any cookies. No attacks in the
42 | wild were known at the time of this release. Thanks Jakub
43 | Vrána for reporting.
44 |
45 | 1.0.1 released 2008-11-02
46 |
47 | [NEW FEATURES]
48 |
49 | - Support for composite tokens; this also fixes a bug with using
50 | IP-based tokens for users with cookies disabled.
51 |
52 | - Native support cookie tokens; use csrf_conf('cookie', $name) to
53 | specify the name of a cookie that the CSRF token should be
54 | placed in. This is useful if you have a Squid cache, and need
55 | to configure it to ignore this token.
56 |
57 | - Tips/tricks section in README.txt.
58 |
59 | - There is now a two hour expiration time on all tokens. This
60 | can be modified using csrf_conf('expires', $seconds).
61 |
62 | - ClickJacking protection using an iframe breaker. Disable with
63 | csrf_conf('frame-breaker', false).
64 |
65 | [BUG FIXES]
66 |
67 | - CsrfMagic.send() incorrectly submitted GET requests twice,
68 | once without the magic token and once with the token. Reported
69 | by Kelly Lu .
70 |
--------------------------------------------------------------------------------
/README.txt:
--------------------------------------------------------------------------------
1 |
2 | [[ csrf-magic ]]
3 |
4 | Add the following line to the top of all web-accessible PHP pages. If you have
5 | a common file included by everything, put it there.
6 |
7 | include_once '/path/to/csrf-magic.php';
8 |
9 | Do it, test it, then forget about it. csrf-magic is protecting you if nothing
10 | bad happens. Read on if you run into problems.
11 |
12 |
13 | TABLE OF CONTENTS
14 | + ------------------- +
15 | 1. TIPS AND TRICKS
16 | 2. AJAX
17 | 3. CONFIGURE
18 | 4. THANKS
19 | 5. FOOTNOTES
20 | + ------------------- +
21 |
22 |
23 | 1. TIPS AND TRICKS
24 |
25 | * If your JavaScript and AJAX is persistently getting errors, check the
26 | AJAX section below on how to fix.
27 |
28 | * The CSS overlay protection makes it impossible to display your website
29 | in frame/iframe elements. You can disable it with
30 | csrf_conf('frame-breaker', false) in your csrf_startup() function.
31 |
32 | * csrf-magic will start a session. To disable, use csrf_conf('auto-session',
33 | false) in your csrf_startup() function.
34 |
35 | * The default error message is a little user unfriendly. Write your own
36 | function which outputs an error message and set csrf_conf('callback',
37 | 'myCallbackFunction') in your csrf_startup() function.
38 |
39 | * Make sure csrf_conf('secret', 'ABCDEFG') has something random in it. If
40 | the directory csrf-magic.php is in is writable, csrf-magic will generate
41 | a secret key for you in the csrf-secret.php file.
42 |
43 | * Remember you can use auto_prepend to include csrf-magic.php on all your
44 | pages. You may want to create a stub file which you can include that
45 | includes csrf-magic.php as well as performs configuration.
46 |
47 | * The default expiration time for tokens is two hours. If you expect your
48 | users to need longer to fill out forms, be sure to enable double
49 | submission when the token is invalid.
50 |
51 |
52 | 2. AJAX
53 |
54 | csrf-magic has the ability to dynamically rewrite AJAX requests which use
55 | XMLHttpRequest. However, due to the invasiveness of this procedure, it is
56 | not enabled by default. You can enable it by adding this code before you
57 | include csrf-magic.php.
58 |
59 | function csrf_startup() {
60 | csrf_conf('rewrite-js', '/web/path/to/csrf-magic.js');
61 | }
62 | // include_once '/path/to/csrf-magic.php';
63 |
64 | (Be sure to place csrf-magic.js somewhere web accessible).
65 |
66 | The default method CSRF Magic uses to rewrite AJAX requests will
67 | only work for browsers with support for XmlHttpRequest.prototype (this excludes
68 | all versions of Internet Explorer). See this page for more information:
69 | http://stackoverflow.com/questions/664315/internet-explorer-8-prototypes-and-xmlhttprequest
70 |
71 | However, csrf-magic.js will
72 | automatically detect and play nice with the following JavaScript frameworks:
73 |
74 | * jQuery
75 | * Prototype
76 | * MooTools
77 | * Ext
78 | * Dojo
79 |
80 | (Note 2013-07-16: It has been a long time since this manual support has
81 | been updated, and some JavaScript libraries have placed their copies of XHR
82 | in local variables in closures, which makes it difficult for us to monkey-patch
83 | it in automatically.)
84 |
85 | To rewrite your own JavaScript library to use csrf-magic.js, you should modify
86 | your function that generates XMLHttpRequest to have this at the end:
87 |
88 | return new CsrfMagic(xhrObject);
89 |
90 | With whatever xhrObject may be. If you have literal instances of XMLHttpRequest
91 | in your code, find and replace ''new XMLHttpRequest'' with ''new CsrfMagic''
92 | (CsrfMagic will automatically instantiate an XMLHttpRequest object in a
93 | cross-platform manner as necessary).
94 |
95 | If you don't want csrf-magic monkeying around with your XMLHttpRequest object,
96 | you can manually rewrite your AJAX code to include the variable. The important
97 | information is stored in the global variables csrfMagicName and csrfMagicToken.
98 | CsrfMagic.process may also be of interest, as it takes one parameter, a
99 | querystring, and prepends the CSRF token to the value.
100 |
101 |
102 | 3. CONFIGURE
103 |
104 | csrf-magic has some configuration options that you can set inside the
105 | csrf_startup() function. They are described in csrf-magic.php, and you can
106 | set them using the convenience function csrf_conf($name, $value).
107 |
108 | For example, this is a recommended configuration:
109 |
110 | /**
111 | * This is a function that gets called if a csrf check fails. csrf-magic will
112 | * then exit afterwards.
113 | */
114 | function my_csrf_callback() {
115 | echo "You're doing bad things young man!";
116 | }
117 |
118 | function csrf_startup() {
119 |
120 | // While csrf-magic has a handy little heuristic for determining whether
121 | // or not the content in the buffer is HTML or not, you should really
122 | // give it a nudge and turn rewriting *off* when the content is
123 | // not HTML. Implementation details will vary.
124 | if (isset($_POST['ajax'])) csrf_conf('rewrite', false);
125 |
126 | // This is a secret value that must be set in order to enable username
127 | // and IP based checks. Don't show this to anyone. A secret id will
128 | // automatically be generated for you if the directory csrf-magic.php
129 | // is placed in is writable.
130 | csrf_conf('secret', 'ABCDEFG123456');
131 |
132 | // This enables JavaScript rewriting and will ensure your AJAX calls
133 | // don't stop working.
134 | csrf_conf('rewrite-js', '/csrf-magic.js');
135 |
136 | // This makes csrf-magic call my_csrf_callback() before exiting when
137 | // there is a bad csrf token. This lets me customize the error page.
138 | csrf_conf('callback', 'my_csrf_callback');
139 |
140 | // While this is enabled by default to boost backwards compatibility,
141 | // for security purposes it should ideally be off. Some users can be
142 | // NATted or have dialup addresses which rotate frequently. Cookies
143 | // are much more reliable.
144 | csrf_conf('allow-ip', false);
145 |
146 | }
147 |
148 | // Finally, include the library
149 | include_once '/path/to/csrf-magic.php';
150 |
151 | Configuration gets stored in the $GLOBALS['csrf'] array.
152 |
153 |
154 | 4. THANKS
155 |
156 | My thanks to Chris Shiflett, for unintentionally inspiring the idea, as well
157 | as telling me the original variant of the Bob and Mallory story,
158 | and the Django CSRF Middleware authors, who thought up of this before me.
159 | Gareth Heyes suggested using the frame-breaker option to protect against
160 | CSS overlay attacks.
161 |
--------------------------------------------------------------------------------
/csrf-magic.js:
--------------------------------------------------------------------------------
1 | /**
2 | * @file
3 | *
4 | * Rewrites XMLHttpRequest to automatically send CSRF token with it. In theory
5 | * plays nice with other JavaScript libraries, needs testing though.
6 | */
7 |
8 | // Here are the basic overloaded method definitions
9 | // The wrapper must be set BEFORE onreadystatechange is written to, since
10 | // a bug in ActiveXObject prevents us from properly testing for it.
11 | CsrfMagic = function(real) {
12 | // try to make it ourselves, if you didn't pass it
13 | if (!real) try { real = new XMLHttpRequest; } catch (e) {;}
14 | if (!real) try { real = new ActiveXObject('Msxml2.XMLHTTP'); } catch (e) {;}
15 | if (!real) try { real = new ActiveXObject('Microsoft.XMLHTTP'); } catch (e) {;}
16 | if (!real) try { real = new ActiveXObject('Msxml2.XMLHTTP.4.0'); } catch (e) {;}
17 | this.csrf = real;
18 | // properties
19 | var csrfMagic = this;
20 | real.onreadystatechange = function() {
21 | csrfMagic._updateProps();
22 | return csrfMagic.onreadystatechange ? csrfMagic.onreadystatechange() : null;
23 | };
24 | csrfMagic._updateProps();
25 | }
26 |
27 | CsrfMagic.prototype = {
28 |
29 | open: function(method, url, async, username, password) {
30 | if (method == 'POST') this.csrf_isPost = true;
31 | // deal with Opera bug, thanks jQuery
32 | if (username) return this.csrf_open(method, url, async, username, password);
33 | else return this.csrf_open(method, url, async);
34 | },
35 | csrf_open: function(method, url, async, username, password) {
36 | if (username) return this.csrf.open(method, url, async, username, password);
37 | else return this.csrf.open(method, url, async);
38 | },
39 |
40 | send: function(data) {
41 | if (!this.csrf_isPost) return this.csrf_send(data);
42 | prepend = csrfMagicName + '=' + csrfMagicToken + '&';
43 | // XXX: Removed to eliminate 'Refused to set unsafe header "Content-length" ' errors in modern browsers
44 | // if (this.csrf_purportedLength === undefined) {
45 | // this.csrf_setRequestHeader("Content-length", this.csrf_purportedLength + prepend.length);
46 | // delete this.csrf_purportedLength;
47 | // }
48 | delete this.csrf_isPost;
49 | return this.csrf_send(prepend + data);
50 | },
51 | csrf_send: function(data) {
52 | return this.csrf.send(data);
53 | },
54 |
55 | setRequestHeader: function(header, value) {
56 | // We have to auto-set this at the end, since we don't know how long the
57 | // nonce is when added to the data.
58 | if (this.csrf_isPost && header == "Content-length") {
59 | this.csrf_purportedLength = value;
60 | return;
61 | }
62 | return this.csrf_setRequestHeader(header, value);
63 | },
64 | csrf_setRequestHeader: function(header, value) {
65 | return this.csrf.setRequestHeader(header, value);
66 | },
67 |
68 | abort: function() {
69 | return this.csrf.abort();
70 | },
71 | getAllResponseHeaders: function() {
72 | return this.csrf.getAllResponseHeaders();
73 | },
74 | getResponseHeader: function(header) {
75 | return this.csrf.getResponseHeader(header);
76 | } // ,
77 | }
78 |
79 | // proprietary
80 | CsrfMagic.prototype._updateProps = function() {
81 | this.readyState = this.csrf.readyState;
82 | if (this.readyState == 4) {
83 | this.responseText = this.csrf.responseText;
84 | this.responseXML = this.csrf.responseXML;
85 | this.status = this.csrf.status;
86 | this.statusText = this.csrf.statusText;
87 | }
88 | }
89 | CsrfMagic.process = function(base) {
90 | if(typeof base == 'object') {
91 | base[csrfMagicName] = csrfMagicToken;
92 | return base;
93 | }
94 | var prepend = csrfMagicName + '=' + csrfMagicToken;
95 | if (base) return prepend + '&' + base;
96 | return prepend;
97 | }
98 | // callback function for when everything on the page has loaded
99 | CsrfMagic.end = function() {
100 | // This rewrites forms AGAIN, so in case buffering didn't work this
101 | // certainly will.
102 | forms = document.getElementsByTagName('form');
103 | for (var i = 0; i < forms.length; i++) {
104 | form = forms[i];
105 | if (form.method.toUpperCase() !== 'POST') continue;
106 | if (form.elements[csrfMagicName]) continue;
107 | var input = document.createElement('input');
108 | input.setAttribute('name', csrfMagicName);
109 | input.setAttribute('value', csrfMagicToken);
110 | input.setAttribute('type', 'hidden');
111 | form.appendChild(input);
112 | }
113 | }
114 |
115 | // Sets things up for Mozilla/Opera/nice browsers
116 | // We very specifically match against Internet Explorer, since they haven't
117 | // implemented prototypes correctly yet.
118 | if (window.XMLHttpRequest && window.XMLHttpRequest.prototype && '\v' != 'v') {
119 | var x = XMLHttpRequest.prototype;
120 | var c = CsrfMagic.prototype;
121 |
122 | // Save the original functions
123 | x.csrf_open = x.open;
124 | x.csrf_send = x.send;
125 | x.csrf_setRequestHeader = x.setRequestHeader;
126 |
127 | // Notice that CsrfMagic is itself an instantiatable object, but only
128 | // open, send and setRequestHeader are necessary as decorators.
129 | x.open = c.open;
130 | x.send = c.send;
131 | x.setRequestHeader = c.setRequestHeader;
132 | } else {
133 | // The only way we can do this is by modifying a library you have been
134 | // using. We support YUI, script.aculo.us, prototype, MooTools,
135 | // jQuery, Ext and Dojo.
136 | if (window.jQuery) {
137 | // jQuery didn't implement a new XMLHttpRequest function, so we have
138 | // to do this the hard way.
139 | jQuery.csrf_ajax = jQuery.ajax;
140 | jQuery.ajax = function( s ) {
141 | if (s.type && s.type.toUpperCase() == 'POST') {
142 | s = jQuery.extend(true, s, jQuery.extend(true, {}, jQuery.ajaxSettings, s));
143 | if ( s.data && s.processData && typeof s.data != "string" ) {
144 | s.data = jQuery.param(s.data);
145 | }
146 | s.data = CsrfMagic.process(s.data);
147 | }
148 | return jQuery.csrf_ajax( s );
149 | }
150 | }
151 | if (window.Prototype) {
152 | // This works for script.aculo.us too
153 | Ajax.csrf_getTransport = Ajax.getTransport;
154 | Ajax.getTransport = function() {
155 | return new CsrfMagic(Ajax.csrf_getTransport());
156 | }
157 | }
158 | if (window.MooTools) {
159 | Browser.csrf_Request = Browser.Request;
160 | Browser.Request = function () {
161 | return new CsrfMagic(Browser.csrf_Request());
162 | }
163 | }
164 | if (window.YAHOO) {
165 | // old YUI API
166 | YAHOO.util.Connect.csrf_createXhrObject = YAHOO.util.Connect.createXhrObject;
167 | YAHOO.util.Connect.createXhrObject = function (transaction) {
168 | obj = YAHOO.util.Connect.csrf_createXhrObject(transaction);
169 | obj.conn = new CsrfMagic(obj.conn);
170 | return obj;
171 | }
172 | }
173 | if (window.Ext) {
174 | // Ext can use other js libraries as loaders, so it has to come last
175 | // Ext's implementation is pretty identical to Yahoo's, but we duplicate
176 | // it for comprehensiveness's sake.
177 | Ext.lib.Ajax.csrf_createXhrObject = Ext.lib.Ajax.createXhrObject;
178 | Ext.lib.Ajax.createXhrObject = function (transaction) {
179 | obj = Ext.lib.Ajax.csrf_createXhrObject(transaction);
180 | obj.conn = new CsrfMagic(obj.conn);
181 | return obj;
182 | }
183 | }
184 | if (window.dojo) {
185 | // NOTE: this doesn't work with latest dojo
186 | dojo.csrf__xhrObj = dojo._xhrObj;
187 | dojo._xhrObj = function () {
188 | return new CsrfMagic(dojo.csrf__xhrObj());
189 | }
190 | }
191 | }
192 |
--------------------------------------------------------------------------------
/csrf-magic.php:
--------------------------------------------------------------------------------
1 |
110 | */
111 | $GLOBALS['csrf']['input-name'] = '__csrf_magic';
112 |
113 | /**
114 | * Set this to false if your site must work inside of frame/iframe elements,
115 | * but do so at your own risk: this configuration protects you against CSS
116 | * overlay attacks that defeat tokens.
117 | */
118 | $GLOBALS['csrf']['frame-breaker'] = true;
119 |
120 | /**
121 | * Whether or not CSRF Magic should be allowed to start a new session in order
122 | * to determine the key.
123 | */
124 | $GLOBALS['csrf']['auto-session'] = true;
125 |
126 | /**
127 | * Whether or not csrf-magic should produce XHTML style tags.
128 | */
129 | $GLOBALS['csrf']['xhtml'] = true;
130 |
131 | // FUNCTIONS:
132 |
133 | // Don't edit this!
134 | $GLOBALS['csrf']['version'] = '1.0.4';
135 |
136 | /**
137 | * Rewrites
', $script . '', $buffer, $count);
172 | if (!$count) {
173 | $buffer .= $script;
174 | }
175 | }
176 | return $buffer;
177 | }
178 |
179 | /**
180 | * Checks if this is a post request, and if it is, checks if the nonce is valid.
181 | * @param bool $fatal Whether or not to fatally error out if there is a problem.
182 | * @return True if check passes or is not necessary, false if failure.
183 | */
184 | function csrf_check($fatal = true) {
185 | if ($_SERVER['REQUEST_METHOD'] !== 'POST') return true;
186 | csrf_start();
187 | $name = $GLOBALS['csrf']['input-name'];
188 | $ok = false;
189 | $tokens = '';
190 | do {
191 | if (!isset($_POST[$name])) break;
192 | // we don't regenerate a token and check it because some token creation
193 | // schemes are volatile.
194 | $tokens = $_POST[$name];
195 | if (!csrf_check_tokens($tokens)) break;
196 | $ok = true;
197 | } while (false);
198 | if ($fatal && !$ok) {
199 | $callback = $GLOBALS['csrf']['callback'];
200 | if (trim($tokens, 'A..Za..z0..9:;,') !== '') $tokens = 'hidden';
201 | $callback($tokens);
202 | exit;
203 | }
204 | return $ok;
205 | }
206 |
207 | /**
208 | * Retrieves a valid token(s) for a particular context. Tokens are separated
209 | * by semicolons.
210 | */
211 | function csrf_get_tokens() {
212 | $has_cookies = !empty($_COOKIE);
213 |
214 | // $ip implements a composite key, which is sent if the user hasn't sent
215 | // any cookies. It may or may not be used, depending on whether or not
216 | // the cookies "stick"
217 | $secret = csrf_get_secret();
218 | if (!$has_cookies && $secret) {
219 | // :TODO: Harden this against proxy-spoofing attacks
220 | $IP_ADDRESS = (isset($_SERVER['IP_ADDRESS']) ? $_SERVER['IP_ADDRESS'] : $_SERVER['REMOTE_ADDR']);
221 | $ip = ';ip:' . csrf_hash($IP_ADDRESS);
222 | } else {
223 | $ip = '';
224 | }
225 | csrf_start();
226 |
227 | // These are "strong" algorithms that don't require per se a secret
228 | if (session_id()) return 'sid:' . csrf_hash(session_id()) . $ip;
229 | if ($GLOBALS['csrf']['cookie']) {
230 | $val = csrf_generate_secret();
231 | setcookie($GLOBALS['csrf']['cookie'], $val);
232 | return 'cookie:' . csrf_hash($val) . $ip;
233 | }
234 | if ($GLOBALS['csrf']['key']) return 'key:' . csrf_hash($GLOBALS['csrf']['key']) . $ip;
235 | // These further algorithms require a server-side secret
236 | if (!$secret) return 'invalid';
237 | if ($GLOBALS['csrf']['user'] !== false) {
238 | return 'user:' . csrf_hash($GLOBALS['csrf']['user']);
239 | }
240 | if ($GLOBALS['csrf']['allow-ip']) {
241 | return ltrim($ip, ';');
242 | }
243 | return 'invalid';
244 | }
245 |
246 | function csrf_flattenpost($data) {
247 | $ret = array();
248 | foreach($data as $n => $v) {
249 | $ret = array_merge($ret, csrf_flattenpost2(1, $n, $v));
250 | }
251 | return $ret;
252 | }
253 | function csrf_flattenpost2($level, $key, $data) {
254 | if(!is_array($data)) return array($key => $data);
255 | $ret = array();
256 | foreach($data as $n => $v) {
257 | $nk = $level >= 1 ? $key."[$n]" : "[$n]";
258 | $ret = array_merge($ret, csrf_flattenpost2($level+1, $nk, $v));
259 | }
260 | return $ret;
261 | }
262 |
263 | /**
264 | * @param $tokens is safe for HTML consumption
265 | */
266 | function csrf_callback($tokens) {
267 | // (yes, $tokens is safe to echo without escaping)
268 | header($_SERVER['SERVER_PROTOCOL'] . ' 403 Forbidden');
269 | $data = '';
270 | foreach (csrf_flattenpost($_POST) as $key => $value) {
271 | if ($key == $GLOBALS['csrf']['input-name']) continue;
272 | $data .= '';
273 | }
274 | echo "275 |
276 |
CSRF check failed. Your form session may have expired, or you may not have
277 | cookies enabled.