/**
* Verify that X-CSRFToken was sent in the request headers and matches the session token
* If not an Exception with be thrown. If no exception is thrown then the token
* is verified.
* @param string the name of the header variable that contains the token
* @throws Exception if token is not provided or does not match
*/
protected function VerifyCSRFToken($headerName = 'X-CSRFToken')
{
// check that a CSRF token is present in the request
$headers = RequestUtil::GetHeaders();
// make this case-insensitive (IE changes all headers to lower-case)
$headers = array_change_key_case($headers, CASE_LOWER);
$headerName = strtolower($headerName);
if (array_key_exists($headerName, $headers)) {
if ($this->GetCSRFToken() != $headers[$headerName]) {
throw new Exception('Invalid CSRFToken');
}
} else {
throw new Exception('Missing CSRFToken');
}
}
