I've got a simple login script to which I've added a anti-CSRF method. Basically the insertion of a token in the login form and also in a session variable called "token". When the login is validated, it checks the session variable with the hidden token and if they match then no attack was done. After that, the session variable is destroyed.
That part worked fine until I've used mod_rewrite to have nice urls. The rewrite code is the following :
Pretty simple. If I use the long URL format (i.e. /index.php?module=Affichage&nom_page_mod_rewrite=mypage), the login works fine and the CSRF check passes. But when I'm on a page with a nice URL like /page/mypage and do a login from there, seems the session variable is all screwy and never matches the token generated. Any idea why this happens? Thanks!
RewriteRule ^page/(.*) /index.php?module=Osmose&class=Affichage&nom_page_mod_rewrite=$1
RewriteRule ^edition/(.*) /index.php?module=Osmose&class=Edition&nom_page_mod_rewrite=$1