csrf, don't try to pass tokenkey, ref : https://github.com/phalcon/cphalcon/blob/v3.0.3/phalcon/security.zep#L377

2026-03-16 01:24:38 +00:00 · 2017-01-20 11:05:08 +01:00 · 2017-01-20 11:05:08 +01:00 · f5ef237970
commit f5ef237970
parent 9eeca3405b
2 changed files with 2 additions and 4 deletions
--- a/src/opnsense/mvc/app/controllers/OPNsense/Base/ApiControllerBase.php
+++ b/src/opnsense/mvc/app/controllers/OPNsense/Base/ApiControllerBase.php
@ -175,9 +175,8 @@ class ApiControllerBase extends ControllerRoot
            }

            // check for valid csrf on post requests
-            $csrf_tokenkey = $this->request->getHeader('X_CSRFTOKENKEY');
-            $csrf_token =   $this->request->getHeader('X_CSRFTOKEN');
-            $csrf_valid = $this->security->checkToken($csrf_tokenkey, $csrf_token, false);
+            $csrf_token = $this->request->getHeader('X_CSRFTOKEN');
+            $csrf_valid = $this->security->checkToken(null, $csrf_token, false);

            if (($this->request->isPost() ||
                    $this->request->isPut() ||
--- a/src/opnsense/mvc/app/views/layouts/default.volt
+++ b/src/opnsense/mvc/app/views/layouts/default.volt
@ -51,7 +51,6 @@
                $.ajaxSetup({
                    'beforeSend': function(xhr) {
                        xhr.setRequestHeader("X-CSRFToken", "{{ csrf_token }}" );
-                        xhr.setRequestHeader("X-CSRFTokenKey", "{{ csrf_tokenKey }}" );
                    }
                });
                // propagate ajax error messages