Cloudflare Proxy Causes Issue if CSRFP_TOKEN Name is Uppercase

[sectri-sitler]

Describe the bug When using a server that leverages Cloudflare's Proxy and while attempting an AJAX call (PHP/Javascript), you will receive a 403 Forbidden response from csrfprotector.

To Reproduce Configure the CSRFP_TOKEN with uppercase characters. Then attempt an AJAX call (PHP/Javascript) with PHP files that use csrfprotector. You will receive a 403 Forbidden response.

Expected behavior The AJAX call works fine and returns expected data when Cloudflare Proxy is not enabled.

Solution Rename the CSRFP_TOKEN to lowercase and this will resolve the issue. This resolves the issue because Cloudflare is renaming the CSRFP_TOKEN in the request header to all lowercase. While this is definitely a Cloudflare issue, it may be a good idea to include this issue in the csrfprotector documentation or update the functions to allow for uppercase or lowercase, as long as the name matches.

Additional Details

Csrfprotector checks the request headers to find the csrf token. It uses the function getTokenFromRequest() to do this. getTokenFromRequest() looks at the request headers and searches for the name configured in config.php ($config['CSRFP_TOKEN']]). If it doesn’t find it, the function returns false, thus the token is not set. Because the token is not set, the function failedValidationAction() is called and csrf protector stops the web application from executing any more code.