Making tokens persist across 'requests'.

Removing more serialize/unserialize calls.

cake/libs/controller/components/security.php

@@ -516,7 +516,7 @@ protected function _authRequired(&$controller) {
 				}
 
 				if ($this->Session->check('_Token')) {
-					$tData = unserialize($this->Session->read('_Token'));
+					$tData = $this->Session->read('_Token');
 
 					if (!empty($tData['allowedControllers']) && !in_array($this->request->params['controller'], $tData['allowedControllers']) || !empty($tData['allowedActions']) && !in_array($this->request->params['action'], $tData['allowedActions'])) {
 						if (!$this->blackHole($controller, 'auth')) {
@@ -681,7 +681,8 @@ protected function _generateToken(&$controller) {
 			'expires' => $expires,
 			'allowedControllers' => $this->allowedControllers,
 			'allowedActions' => $this->allowedActions,
-			'disabledFields' => $this->disabledFields
+			'disabledFields' => $this->disabledFields,
+			'csrfTokens' => array()
 		);
 
 		if ($this->csrfCheck) {
@@ -699,6 +700,9 @@ protected function _generateToken(&$controller) {
 			if ($valid) {
 				$token['key'] = $tokenData['key'];
 			}
+			if (!empty($tokenData['csrfTokens'])) {
+				$token['csrfTokens'] += $tokenData['csrfTokens'];
+			}
 		}
 		$controller->request->params['_Token'] = $token;
 		$this->Session->write('_Token', $token);

cake/tests/cases/libs/controller/components/security.test.php

@@ -281,16 +281,16 @@ function testRequireAuthFail() {
 		$this->Controller->Security->startup($this->Controller);
 		$this->assertTrue($this->Controller->failed);
 
-		$this->Controller->Session->write('_Token', serialize(array('allowedControllers' => array())));
+		$this->Controller->Session->write('_Token', array('allowedControllers' => array()));
 		$this->Controller->request->data = array('username' => 'willy', 'password' => 'somePass');
 		$this->Controller->request['action'] = 'posted';
 		$this->Controller->Security->requireAuth('posted');
 		$this->Controller->Security->startup($this->Controller);
 		$this->assertTrue($this->Controller->failed);
 
-		$this->Controller->Session->write('_Token', serialize(array(
+		$this->Controller->Session->write('_Token', array(
 			'allowedControllers' => array('SecurityTest'), 'allowedActions' => array('posted2')
-		)));
+		));
 		$this->Controller->request->data = array('username' => 'willy', 'password' => 'somePass');
 		$this->Controller->request['action'] = 'posted';
 		$this->Controller->Security->requireAuth('posted');
@@ -311,9 +311,9 @@ function testRequireAuthSucceed() {
 		$this->Controller->Security->startup($this->Controller);
 		$this->assertFalse($this->Controller->failed);
 
-		$this->Controller->Security->Session->write('_Token', serialize(array(
+		$this->Controller->Security->Session->write('_Token', array(
 			'allowedControllers' => array('SecurityTest'), 'allowedActions' => array('posted')
-		)));
+		));
 		$this->Controller->request['controller'] = 'SecurityTest';
 		$this->Controller->request['action'] = 'posted';
 
@@ -1240,10 +1240,23 @@ function testCsrfSettings() {
 		$this->Security->csrfCheck = true;
 		$this->Security->csrfExpires = '+10 minutes';
 		$this->Security->startup($this->Controller);
-		
+
 		$token = $this->Security->Session->read('_Token');
 		$this->assertEquals(count($token['csrfTokens']), 1, 'Missing the csrf token.');
 		$this->assertEquals(strtotime('+10 minutes'), current($token['csrfTokens']), 'Token expiry does not match');
-
+	}
+
+	function testCsrfSettingMultipleNonces() {
+		$this->Security->validatePost = false;
+		$this->Security->csrfCheck = true;
+		$this->Security->csrfExpires = '+10 minutes';
+		$this->Security->startup($this->Controller);
+		$this->Security->startup($this->Controller);
+
+		$token = $this->Security->Session->read('_Token');
+		$this->assertEquals(count($token['csrfTokens']), 2, 'Missing the csrf token.');
+		foreach ($token['csrfTokens'] as $key => $expires) {
+			$this->assertEquals(strtotime('+10 minutes'), $expires, 'Token expiry does not match');
+		}
 	}
 }