diff options
| author | Matthew Somerville <matthew-github@dracos.co.uk> | 2017-01-12 15:24:16 +0000 |
|---|---|---|
| committer | Matthew Somerville <matthew-github@dracos.co.uk> | 2017-01-12 15:24:16 +0000 |
| commit | 831f0addbac7eb3e6641877c936f90279d1bb186 (patch) | |
| tree | 8d56fd057f539002c9eef08e21b8260c31858119 | |
| parent | dd59d2831e7e824eb14051253fb59157e032673b (diff) | |
Make sure csrf_time is deleted after use.
If an out-of-date token was passed to check_csrf_token, then no new
token would be output on the error page because csrf_time was still
present.
| -rw-r--r-- | perllib/FixMyStreet/App/Controller/Auth.pm | 5 |
1 files changed, 3 insertions, 2 deletions
diff --git a/perllib/FixMyStreet/App/Controller/Auth.pm b/perllib/FixMyStreet/App/Controller/Auth.pm index c448f8749..6e8057723 100644 --- a/perllib/FixMyStreet/App/Controller/Auth.pm +++ b/perllib/FixMyStreet/App/Controller/Auth.pm @@ -516,11 +516,12 @@ sub check_csrf_token : Private { $token =~ s/ /+/g; my ($time) = $token =~ /^(\d+)-[0-9a-zA-Z+\/]+$/; $c->stash->{csrf_time} = $time; + my $gen_token = $c->forward('get_csrf_token'); + delete $c->stash->{csrf_time}; $c->detach('no_csrf_token') unless $time && $time > time() - 3600 - && $token eq $c->forward('get_csrf_token'); - delete $c->stash->{csrf_time}; + && $token eq $gen_token; } sub no_csrf_token : Private { |