I store a csrf token in a session key when a user registers. When the request hits the backend I match the csrf session key with the csrf token send by the form. This process worked great until I implemented cloudflare. Now, for the high majority of these registration requests, the session key is not persisting and when the back end tries to match the tokens, it fails given there is not $_SESSION[‘csrf_token’]. I’m wondering if anyone has experienced this and if I have a few settings wrong in Cloudflare dashboard for this specific process?
No one has experienced this or could help me determine if any of my settings are preventing sessions from persisting? One thing I encountered while researching this is that my header settings may not be set to trust cloudflares proxy. I’m wondering if that could be the issue.
I wanted to follow up on here as it wouldn’t be fair to cloudflare otherwise. I found the issue and it was not cloudflare at all but rather a rogue line of code and a very ironic bug.