Unset CSRF token from request data after token validation.

This prevents the token being included in query string when using PRG pattern.
cakephp · Oct 9, 2015 · 5f76c1c · 5f76c1c
1 parent 7df65e6
commit 5f76c1c
Show file tree

Hide file tree

Showing 2 changed files with 2 additions and 0 deletions.
diff --git a/src/Controller/Component/CsrfComponent.php b/src/Controller/Component/CsrfComponent.php
@@ -94,6 +94,7 @@ public function startup(Event $event)
         }
         if ($request->is(['patch', 'put', 'post', 'delete'])) {
             $this->_validateToken($request);
+            unset($request->data[$this->_config['field']]);
         }
     }
 

diff --git a/tests/TestCase/Controller/Component/CsrfComponentTest.php b/tests/TestCase/Controller/Component/CsrfComponentTest.php
@@ -156,6 +156,7 @@ public function testValidTokenRequestData($method)
         $event = new Event('Controller.startup', $controller);
         $result = $this->component->startup($event);
         $this->assertNull($result, 'No exception means valid.');
+        $this->assertFalse(isset($controller->request->data['_csrfToken']));
     }
 
     /**