From 3a28da248590464d1c38e8868f673418fa6f9865 Mon Sep 17 00:00:00 2001
From: Simon Leary <simon.leary42@proton.me>
Date: Fri, 19 Dec 2025 09:27:16 -0500
Subject: [PATCH] more friendly message on invalid CSRF token

---
 resources/lib/UnityHTTPD.php | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/resources/lib/UnityHTTPD.php b/resources/lib/UnityHTTPD.php
index 77e9bc7c..e08a652b 100644
--- a/resources/lib/UnityHTTPD.php
+++ b/resources/lib/UnityHTTPD.php
@@ -394,7 +394,13 @@ public static function validatePostCSRFToken(): void
     {
         $token = self::getPostData("csrf_token");
         if (!CSRFToken::validate($token)) {
-            self::badRequest("CSRF token validation failed", data: ["token" => $token]);
+            $errorid = uniqid();
+            self::errorLog("csrf failed to validate", "", errorid: $errorid);
+            self::messageError(
+                "Invalid Session Token",
+                "This can happen if you leave your browser open for a long time. Error ID: $errorid",
+            );
+            self::redirect();
         }
     }