Skip to content
Permalink
Browse files

fixes #3887 CSRF reusable token expires

  • Loading branch information...
Schlaefer committed Jul 6, 2014
1 parent 396725d commit 9fa7afa3547d3c19da63f5a52c8ebedf2c158427
@@ -554,7 +554,9 @@ public function generateToken(CakeRequest $request) {
}
if (!$this->csrfUseOnce) {
$csrfTokens = array_keys($token['csrfTokens']);
$token['key'] = $csrfTokens[0];
$authKey = $csrfTokens[0];
$token['key'] = $authKey;
$token['csrfTokens'][$authKey] = strtotime($this->csrfExpires);
}
$this->Session->write('_Token', $token);
$request->params['_Token'] = array(
@@ -1250,6 +1250,24 @@ public function testCsrfNonceConsumption() {
$this->assertFalse(isset($token['csrfTokens']['nonce1']), 'Token was not consumed');
}
/**
* tests that reusable CSRF-token expiry is renewed
*/
public function testCsrfReusableTokenRenewal() {
$this->Security->validatePost = false;
$this->Security->csrfCheck = true;
$this->Security->csrfUseOnce = false;
$csrfExpires = '+10 minutes';
$this->Security->csrfExpires = $csrfExpires;
$this->Security->Session->write('_Token.csrfTokens', array('token' => strtotime('+1 minutes')));
$this->Security->startup($this->Controller);
$tokens = $this->Security->Session->read('_Token.csrfTokens');
$diff = strtotime($csrfExpires) - $tokens['token'];
$this->assertTrue($diff === 0 || $diff === 1, 'Token expiry was not renewed');
}
/**
* test that expired values in the csrfTokens are cleaned up.
*

0 comments on commit 9fa7afa

Please sign in to comment.
You can’t perform that action at this time.