Merge pull request #3888 from Schlaefer/fix-#3887-reusableCsrfExpires

fixes #3887 CSRF reusable token expires

lib/Cake/Controller/Component/SecurityComponent.php

@@ -554,7 +554,9 @@ class SecurityComponent extends Component {
 		}
 		if (!$this->csrfUseOnce) {
 			$csrfTokens = array_keys($token['csrfTokens']);
-			$token['key'] = $csrfTokens[0];
+			$authKey = $csrfTokens[0];
+			$token['key'] = $authKey;
+			$token['csrfTokens'][$authKey] = strtotime($this->csrfExpires);
 		}
 		$this->Session->write('_Token', $token);
 		$request->params['_Token'] = array(

lib/Cake/Test/Case/Controller/Component/SecurityComponentTest.php

@@ -1214,8 +1214,7 @@ class SecurityComponentTest extends CakeTestCase {
 		$token = $this->Security->Session->read('_Token');
 		$this->assertEquals(2, count($token['csrfTokens']), 'Missing the csrf token.');
 		foreach ($token['csrfTokens'] as $expires) {
-			$diff = $csrfExpires - $expires;
-			$this->assertTrue($diff === 0 || $diff === 1, 'Token expiry does not match');
+			$this->assertWithinMargin($expires, $csrfExpires, 2, 'Token expiry does not match');
 		}
 	}
 
@@ -1250,6 +1249,23 @@ class SecurityComponentTest extends CakeTestCase {
 		$this->assertFalse(isset($token['csrfTokens']['nonce1']), 'Token was not consumed');
 	}
 
+/**
+ * tests that reusable CSRF-token expiry is renewed
+ */
+	public function testCsrfReusableTokenRenewal() {
+		$this->Security->validatePost = false;
+		$this->Security->csrfCheck = true;
+		$this->Security->csrfUseOnce = false;
+		$csrfExpires = '+10 minutes';
+		$this->Security->csrfExpires = $csrfExpires;
+
+		$this->Security->Session->write('_Token.csrfTokens', array('token' => strtotime('+1 minutes')));
+
+		$this->Security->startup($this->Controller);
+		$tokens = $this->Security->Session->read('_Token.csrfTokens');
+		$this->assertWithinMargin($tokens['token'], strtotime($csrfExpires), 2, 'Token expiry was not renewed');
+	}
+
 /**
  * test that expired values in the csrfTokens are cleaned up.
  *