/** * Verify that X-CSRFToken was sent in the request headers and matches the session token * If not an Exception with be thrown. If no exception is thrown then the token * is verified. * @param string the name of the header variable that contains the token * @throws Exception if token is not provided or does not match */ protected function VerifyCSRFToken($headerName = 'X-CSRFToken') { // check that a CSRF token is present in the request $headers = RequestUtil::GetHeaders(); // make this case-insensitive (IE changes all headers to lower-case) $headers = array_change_key_case($headers, CASE_LOWER); $headerName = strtolower($headerName); if (array_key_exists($headerName, $headers)) { if ($this->GetCSRFToken() != $headers[$headerName]) { throw new Exception('Invalid CSRFToken'); } } else { throw new Exception('Missing CSRFToken'); } }