fixes #3887 CSRF reusable token expires

lib/Cake/Controller/Component/SecurityComponent.php

@@ -554,7 +554,9 @@ class SecurityComponent extends Component {
 		}
 		if (!$this->csrfUseOnce) {
 			$csrfTokens = array_keys($token['csrfTokens']);
-			$token['key'] = $csrfTokens[0];
+			$authKey = $csrfTokens[0];
+			$token['key'] = $authKey;
+			$token['csrfTokens'][$authKey] = strtotime($this->csrfExpires);
 		}
 		$this->Session->write('_Token', $token);
 		$request->params['_Token'] = array(

lib/Cake/Test/Case/Controller/Component/SecurityComponentTest.php

@@ -1250,6 +1250,24 @@ class SecurityComponentTest extends CakeTestCase {
 		$this->assertFalse(isset($token['csrfTokens']['nonce1']), 'Token was not consumed');
 	}
 
+/**
+ * tests that reusable CSRF-token expiry is renewed
+ */
+	public function testCsrfReusableTokenRenewal() {
+		$this->Security->validatePost = false;
+		$this->Security->csrfCheck = true;
+		$this->Security->csrfUseOnce = false;
+		$csrfExpires = '+10 minutes';
+		$this->Security->csrfExpires = $csrfExpires;
+
+		$this->Security->Session->write('_Token.csrfTokens', array('token' => strtotime('+1 minutes')));
+
+		$this->Security->startup($this->Controller);
+		$tokens = $this->Security->Session->read('_Token.csrfTokens');
+		$diff = strtotime($csrfExpires) - $tokens['token'];
+		$this->assertTrue($diff === 0 || $diff === 1, 'Token expiry was not renewed');
+	}
+
 /**
  * test that expired values in the csrfTokens are cleaned up.
  *