The CSRF protection key did not match in my own app on 4.5

[Mac1]

After updating core to 4.5 my own custom app has problems.
In ACP, in my ACPs app modules, when i put some &request to URL there appears an CSRF error. 
For example:

• admin/?app=something&module=main&controller=something - works good
• admin/?app=something&module=main&controller=something&request=1 - appears CSRF error

It appears only to my own app which im now creating and after updating IPS to 4.5. Before IPS update it was working like a charm..

I have tried:

• Rebuilding an app
• Clearing cache
• Creating new theme / using default theme
• Restarted php/nginx
• Tried to find errors in my app
• Tried to update today IPS to 4.5.1 and problem still exists.

I have seen in IPS 4.5 there is no &addsess in ACP URIs but probably that's not a reason

Edited August 29, 2020 by Mac1

[Adriano Faria]

You have to add this to your Admin CP controllers:

public static $csrfProtected = TRUE;

That’s because they removed the session ID from ACP URLs.

[Mac1]

5 minutes ago, Adriano Faria said:

You have to add this to your Admin CP controllers:

public static $csrfProtected = TRUE;

That’s because they removed the session ID from ACP URLs.

Thank you very much!

[Adriano Faria]

By the way, that’s not all. You’ll have to add the CSRF checking in all your links for the same matter, otherwise anyone that knows URLs from your ACP controllers will be able to “execute” them. So in your links and buttons, add:

\IPS\Http\Url::internal( "app... ...&do=something”)->csrf();

Then on something(), you start with:

\IPS\Session::i()->csrfCheck();

confirmedDelete() should be used you try to delete something and used the data-confirm in links or 

'data' => array( 'delete' => '' )

in buttons .

Take a look in any official app ACP controllers. 

Edited August 29, 2020 by Adriano Faria

[Stuart Silvester]

Have a read of this document, it covers the CSRF protection requirements