Adding support for nonce expiry.

Adding simple time based nonce expiration. This does a simple cleanup on
each request, to remove stale tokens.  Tests added.

cake/libs/controller/components/security.php

@@ -705,6 +705,7 @@ protected function _generateToken(&$controller) {
 			}
 			if (!empty($tokenData['csrfTokens'])) {
 				$token['csrfTokens'] += $tokenData['csrfTokens'];
+				$token['csrfTokens'] = $this->_expireTokens($token['csrfTokens']);
 			}
 		}
 		$controller->request->params['_Token'] = $token;
@@ -729,6 +730,23 @@ protected function _validateCsrf($controller) {
 		return false;
 	}
 
+/**
+ * Expire CSRF nonces and remove them from the valid tokens.
+ * Uses a simple timeout to expire the tokens.
+ *
+ * @param array $tokens An array of nonce => expires.
+ * @return An array of nonce => expires.
+ */
+	protected function _expireTokens($tokens) {
+		$tokenExpiryTime = strtotime($this->csrfExpires);
+		foreach ($tokens as $nonce => $expires) {
+			if ($expires < $tokenExpiryTime) {
+				unset($tokens[$nonce]);
+			}
+		}
+		return $tokens;
+	}
+
 /**
  * Sets the default login options for an HTTP-authenticated request
  *

cake/tests/cases/libs/controller/components/security.test.php

@@ -1296,4 +1296,23 @@ function testCsrfNonceConsumption() {
 		$token = $this->Security->Session->read('_Token');
 		$this->assertFalse(isset($token['csrfTokens']['nonce1']), 'Token was not consumed');
 	}
+
+/**
+ * test that expired values in the csrfTokens are cleaned up.
+ *
+ * @return void
+ */
+	function testCsrfNonceVacuum() {
+		$this->Security->validatePost = false;
+		$this->Security->csrfCheck = true;
+		$this->Security->csrfExpires = '+10 minutes';
+
+		$this->Security->Session->write('_Token.csrfTokens', array(
+			'poof' => strtotime('-11 minutes'),
+			'dust' => strtotime('-20 minutes')
+		));
+		$this->Security->startup($this->Controller);
+		$tokens = $this->Security->Session->read('_Token.csrfTokens');
+		$this->assertEquals(1, count($tokens), 'Too many tokens left behind');
+	}
 }