Fixing issues with SecurityComponent, where removing your session,

would allow posting of invalid form data.
Fixes #1867

cake/libs/controller/components/security.php

@@ -607,6 +607,8 @@ function _validatePost(&$controller) {
 			if ($tokenData['expires'] < time() || $tokenData['key'] !== $token) {
 				return false;
 			}
+		} else {
+			return false;
 		}
 
 		$locked = null;

cake/tests/cases/libs/controller/components/security.test.php

@@ -582,6 +582,25 @@ function testValidatePost() {
 		$this->assertTrue($this->Controller->Security->validatePost($this->Controller));
 	}
 
+/**
+ * Test that validatePost fails if you are missing the session information.
+ *
+ * @return void
+ */
+	function testValidatePostNoSession() {
+		$this->Controller->Security->startup($this->Controller);
+		$this->Controller->Session->delete('_Token');
+
+		$key = $this->Controller->params['_Token']['key'];
+		$fields = 'a5475372b40f6e3ccbf9f8af191f20e1642fd877%3AModel.valid';
+
+		$this->Controller->data = array(
+			'Model' => array('username' => 'nate', 'password' => 'foo', 'valid' => '0'),
+			'_Token' => compact('key', 'fields')
+		);
+		$this->assertFalse($this->Controller->Security->validatePost($this->Controller));
+	}
+
 /**
  * test that validatePost fails if any of its required fields are missing.
  *