Improve CSRF handling

examples/client_auth.php

 
 $cookiejar = tempnam(sys_get_temp_dir(), 'cookiejar-');
 
-function call($method, $url, $data = false) {
+function call($method, $url, $data = false, $csrf = false) {
 	global $cookiejar;
 	$ch = curl_init();
 	curl_setopt($ch, CURLOPT_CUSTOMREQUEST, $method);
 	curl_setopt($ch, CURLOPT_URL, $url);
+	$headers = array();
 	if ($data) {
 		curl_setopt($ch, CURLOPT_POSTFIELDS, $data);
-		$headers = array();
 		$headers[] = 'Content-Type: application/json';
 		$headers[] = 'Content-Length: ' . strlen($data);
-		curl_setopt($ch, CURLOPT_HTTPHEADER, $headers);
 	}
+	if ($csrf) {
+		$headers[] = 'X-XSRF-TOKEN: ' . $csrf;
+	}
+	curl_setopt($ch, CURLOPT_HTTPHEADER, $headers);
 	curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
 
 	curl_setopt($ch, CURLOPT_COOKIEJAR, $cookiejar);
 
 // in case you are using php-api-auth:
 $csrf = json_decode(call('POST','http://localhost/api.php/', 'username=admin&password=admin'));
-$response = call('GET','http://localhost/api.php/posts?include=categories,tags,comments&filter=id,eq,1&csrf='. $csrf);
+$response = call('GET','http://localhost/api.php/posts?include=categories,tags,comments&filter=id,eq,1', false, $csrf);
 
 unlink($cookiejar);