Vulnerability remediation

login.php

@@ -19,9 +19,11 @@
     ini_set('session.gc_maxlifetime', 24*60*60);                                // MIN SESSION
     ini_set('session.gc_probability', 1);                                       // GC RATES
     ini_set('session.gc_divisor', 100);                                         // TIMES
+    ini_set("session. cookie_httponly", 1);
     session_save_path('.tmp');                                                  // TEMP
     session_start();                                                            // START
     require_once __DIR__ . '/autoload.php';                                     // AUTOLOAD
+    use App\LobbySIO\Misc\Csrf;                                        // ANTICSRF
     use App\LobbySIO\Config\Registry;
     $Users = new \App\LobbySIO\Database\Users();
     if (Registry::AUTHMETHOD == 'SAML') {
@@ -74,7 +76,14 @@
     require_once("inc/header.inc.php");
     if ($StaticFunctions->getUserSessionStatus() == true) {                         // CHECK STATUS
         header('Location: index.php');                                          // ELSE HOME
-    } else { ?>
+    } else {
+      header("X-Frame-Options: SAMEORIGIN");
+      header("Content-Security-Policy: frame-ancestors 'none'", false);
+      if (!empty($_GET['a'])) {
+        echo '<pre>' . print_r($_POST, true) . '</pre>';
+        echo 'Verification has been : ' . (Csrf::verifyToken('home') ? 'successful' : 'unsuccessful');
+      }
+    ?>
 
 
 <!-- START CONTENT -->
@@ -112,6 +121,7 @@ endif;
     <hr />
     <br />
     <form class="form-signin" action="login.php" method="post">
+        <?php echo Csrf::getInputToken('home') ?>
         <div class="input-group input-group-lg">
           <?php if (Registry::AUTHMETHOD == 'INTERNAL') { ?>
           <input type="text" class="form-control" aria-describedby="button-addon2" id="username" name="username" placeholder="<?php echo $transLang['USERNAME']; ?>" required autofocus>