Fixing issue where SecurityComponent::csrfUseOnce = false

caused forms that weren't the first to fail. Fixes #1745
cakephp · May 31, 2011 · 69c43a5 · 69c43a5
1 parent aacb921
commit 69c43a5
Show file tree

Hide file tree

Showing 2 changed files with 7 additions and 0 deletions.
diff --git a/lib/Cake/Controller/Component/SecurityComponent.php b/lib/Cake/Controller/Component/SecurityComponent.php
@@ -495,6 +495,10 @@ protected function _generateToken($controller) {
 		if ($this->csrfCheck && ($this->csrfUseOnce || empty($tokenData['csrfTokens'])) ) {
 			$token['csrfTokens'][$authKey] = strtotime($this->csrfExpires);
 		}
+		if ($this->csrfCheck && $this->csrfUseOnce == false) {
+			$csrfTokens = array_keys($token['csrfTokens']);
+			$token['key'] = $csrfTokens[0];
+		}
 		$this->Session->write('_Token', $token);
 		$controller->request->params['_Token'] = array(
 			'key' => $token['key'],

diff --git a/lib/Cake/Test/Case/Controller/Component/SecurityComponentTest.php b/lib/Cake/Test/Case/Controller/Component/SecurityComponentTest.php
@@ -1151,6 +1151,9 @@ public function testCsrfNotUseOnce() {
 		$token2 = $this->Security->Session->read('_Token.csrfTokens');
 		$this->assertEquals(1, count($token2), 'Should only be one token.');
 		$this->assertEquals($token, $token2, 'Tokens should not be different.');
+
+		$key = $this->Controller->request->params['_Token']['key'];
+		$this->assertEquals(array($key), array_keys($token), '_Token.key and csrfToken do not match request will blackhole.');
 	}
 
 /**