From 512cab19f721c0bfc0f6ee4cf961341b0a598255 Mon Sep 17 00:00:00 2001
From: Sebastien Thebert <octopussy@onetool.pm>
Date: Sun, 13 Nov 2016 23:00:14 +0100
Subject: [PATCH] Fixes CSRF token for pages with multiple forms

---
 usr/share/aat/INC/AAT_Form_Begin.inc | 17 +++++++++++++----
 1 file changed, 13 insertions(+), 4 deletions(-)

diff --git a/usr/share/aat/INC/AAT_Form_Begin.inc b/usr/share/aat/INC/AAT_Form_Begin.inc
index 882a9ed..55406dc 100644
--- a/usr/share/aat/INC/AAT_Form_Begin.inc
+++ b/usr/share/aat/INC/AAT_Form_Begin.inc
@@ -3,11 +3,20 @@
 <% 
 if ((!defined $arg{method}) || ($arg{method} eq "") || ($arg{method} =~ /^POST$/i))
 {
-	use Data::GUID;
+	my $token = undef;
 
-	my $guid = Data::GUID->new;
-	my $token = $guid->as_string;
-	$Session->{CSRFtoken} = $token;	
+	if (defined $Session->{CSRFtoken})
+	{	# not the first form on the page
+		$token = $Session->{CSRFtoken};
+	}
+	else
+	{
+		use Data::GUID;
+
+		my $guid = Data::GUID->new;
+		$token = $guid->as_string;
+		$Session->{CSRFtoken} = $token;	
+	}
 %>
 	<AAT:Form_Hidden name="CSRFtoken" value="$token" />
 <%