Fix CSRF issue with new login during process.

If you had no session cookie, started reporting a problem, logged in through that process, you would then get a CSRF error as the token had been created before the session was.
author: Matthew Somerville <matthew-github@dracos.co.uk> 2016-07-05 13:09:18 +0100
committer: Matthew Somerville <matthew-github@dracos.co.uk> 2016-07-05 13:09:18 +0100
commit: 3fa598f3e9f5655655e85510d1551b16965bd9d7 (patch)
tree: fd9251a7d9dae35a50ec146042cac6e389d0bb7d
parent: 2f09edc1784698b1ed74c514068e4e26687c047b (diff)
2 files changed, 4 insertions, 0 deletions
diff --git a/perllib/FixMyStreet/App/Controller/Auth.pm b/perllib/FixMyStreet/App/Controller/Auth.pm
index b564a988c..ca4a2fc80 100644
--- a/perllib/FixMyStreet/App/Controller/Auth.pm
+++ b/perllib/FixMyStreet/App/Controller/Auth.pm
@@ -85,6 +85,9 @@ sub sign_in : Private {
         $c->set_session_cookie_expire(0)
           unless $remember_me;
 
+        # Regenerate CSRF token as session ID changed
+        $c->forward('get_csrf_token');
+
         return 1;
     }
 
diff --git a/t/app/controller/report_new.t b/t/app/controller/report_new.t
index eb29d37da..ba550193e 100644
--- a/t/app/controller/report_new.t
+++ b/t/app/controller/report_new.t
@@ -701,6 +701,7 @@ subtest "test password errors for a user who is signing in as they report" => su
 
 subtest "test report creation for a user who is signing in as they report" => sub {
     $mech->log_out_ok;
+    $mech->cookie_jar({});
     $mech->clear_emails_ok;
 
     # check that the user does not exist
author	Matthew Somerville <matthew-github@dracos.co.uk>	2016-07-05 13:09:18 +0100
committer	Matthew Somerville <matthew-github@dracos.co.uk>	2016-07-05 13:09:18 +0100
commit	3fa598f3e9f5655655e85510d1551b16965bd9d7 (patch)
tree	fd9251a7d9dae35a50ec146042cac6e389d0bb7d
parent	2f09edc1784698b1ed74c514068e4e26687c047b (diff)