Implement CSRF protection in contact form: Added session management and CSRF token validation to enhance security. Updated AJAX response handling in JavaScript to reset button state after submission.

public/assets/js/contact.js

@@ -77,6 +77,10 @@
             })
             .then(response => response.json())
             .then(data => {
+                // Reset button state
+                submitBtn.textContent = originalText;
+                submitBtn.disabled = false;
+                
                 if (data.success) {
                     // Reset form
                     form.reset();

public/contact-handler.php

@@ -4,12 +4,22 @@
  * E-Mail-Verarbeitung mit SMTP-Integration und Spam-Schutz
  */
 
+// Session starten für CSRF-Validierung
+if (session_status() === PHP_SESSION_NONE) {
+    session_start();
+}
+
 // Konfiguration laden
 require_once 'config.php';
 
 // Konfiguration verwenden
 $config = getHexaHostConfig();
 
+// CSRF-Token validieren
+function validateCSRFToken($token) {
+    return isset($_SESSION['csrf_token']) && hash_equals($_SESSION['csrf_token'], $token);
+}
+
 // CORS Headers für AJAX-Requests
 header('Access-Control-Allow-Origin: *');
 header('Access-Control-Allow-Methods: POST');
@@ -329,6 +339,16 @@ function generateEmailText($data) {
 
 // Hauptverarbeitung
 try {
+    // CSRF-Token validieren
+    if (empty($_POST['csrf_token']) || !validateCSRFToken($_POST['csrf_token'])) {
+        http_response_code(403);
+        echo json_encode([
+            'success' => false, 
+            'message' => 'Ungültige Sitzung. Bitte laden Sie die Seite neu und versuchen Sie es erneut.'
+        ]);
+        exit;
+    }
+    
     // Rate Limiting Check
     $client_ip = $_SERVER['REMOTE_ADDR'];
     if (!checkRateLimit($client_ip)) {

public/includes/functions.php

@@ -3,6 +3,11 @@
  * Helper functions for HexaHost.de
  */
 
+// Start session for CSRF token
+if (session_status() === PHP_SESSION_NONE) {
+    session_start();
+}
+
 /**
  * Set page configuration and include header
  *