Throw a 401, 403 or 500(?) when trying to access a "members area" without the correct user credentials

Hi!

I have a dashboard area for the users. Of course this dashboard area and all other signed in areas are grabbing user credentials from session. But anyway, you want your app to be secure.

When trying to access the members area with this CURL script:

<?php
$url = 'http://localhost:8080/dashboard';
$ch = curl_init();
$opts = array(
    CURLOPT_URL => $url,
    CURLOPT_RETURNTRANSFER => true,
    CURLOPT_HEADER => true,
    CURLOPT_POST => true
);
curl_setopt_array($ch, $opts);

$result = curl_exec($ch);
echo '<b>RESULT:</b><br> '.var_export($result, true)."\n\n";

?>

The result is:

RESULT:
'HTTP/1.1 400 Bad Request Host: localhost:8080 Connection: close X-Powered-By: PHP/7.0.7 Set-Cookie: PHPSESSID=u39hgt5qtkjmd6dj8emmn42of0; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache Content-type: text/plain;charset=UTF-8 Content-Length: 18 Failed CSRF check!'

I’m a little worried about the last line, “Failed CSRF check”, that somehow it would be possible to collect CSRF data and then execute the same curl code. So, how can I display an error message before CSRF Guard kicks in?

Im using https://github.com/ArneAnka/slim3

1 Like