I'm neck-deep in a crazy situation. Some background first... My setup is a bit different. All of my real users are my employees and are assigned as moderators. They enter and manage new "Users" which are really just applications we track milestones and job details for. My employees/real users have to log out to add a new user/application OR they have to open the registration link in Incognito in another tab since that will not track cookies and allows them to register a new "user" while still logged in to the site in another tab. My goal is to allow the real users of the site to access the registration page to create a new user/applications without having to log out or open incognito.
I have successfully created a proxy.php script on my server that allows me to use my server as a proxy and pass any URL through that proxy by entering a correctly formatted URL. It works great and loads the registration page without the users' cookies even though they are logged into the site on another tab. The goal is to place the proxy URL on an iframe inside the site so that they can register a new user/application from what appears to them as the normal front end they are logged into.
The only issue I'm coming across is passing the registration form's CSRF token back to the site. I can open the form, and fill out the fields, but when I click submit I get "The most recent request was denied because it had an invalid security token. Please go back or refresh the page and try again". I have my script pulling the CSRF from the page load where it finds the hidden field with a value of 1 and stores the field name, which is the actual 32-digit CSRF token. When I pass that token back I always get that same error.
I know this is likely not something you can help me with, but could you give me any insights on how the CSRF works that might help me understand where the breakdown is in passing the CSRF it finds during GET and returning it during POST?
krileon
