CSRF validation keys can be both missing from the request and the session $PostBackKey = ForceIncomingString('PostBackKey', ''); $ExtensionKey = ForceIncomingString('ExtensionKey', ''); $RequestName = ForceIncomingString('RequestName', ''); if ($PostBackKey != $Context->Session->GetVariable('SessionPostBackKey', 'string')) { ...
It should be like: if ($PostBackKey != '' && $PostBackKey != $Context->Session->GetVariable('SessionPostBackKey', 'string')) {
In revision 714, I am adding a method to the session class to retrieve the key. It create the session key if needed and make the getting the key easier.: /** * Return the key used for CSRF protection. * @return String */ function GetCsrfValidationKey() { $Key = $this->GetVariable('SessionPostBackKey', 'string'); if ($Key == '') { $Key = DefineVerificationKey(); $this->SetVariable('SessionPostBackKey', $Key); } return $Key; }