Fixing expiration conditions on CSRF tokens.

This commit is contained in:
mark_story 2010-10-02 18:27:39 -04:00
parent 7f7c202f35
commit d83c51cde9
2 changed files with 6 additions and 3 deletions

View file

@ -719,9 +719,9 @@ class SecurityComponent extends Component {
* @return An array of nonce => expires. * @return An array of nonce => expires.
*/ */
protected function _expireTokens($tokens) { protected function _expireTokens($tokens) {
$tokenExpiryTime = strtotime($this->csrfExpires); $now = time();
foreach ($tokens as $nonce => $expires) { foreach ($tokens as $nonce => $expires) {
if ($expires < $tokenExpiryTime) { if ($expires < $now) {
unset($tokens[$nonce]); unset($tokens[$nonce]);
} }
} }

View file

@ -1302,12 +1302,15 @@ DIGEST;
$this->Security->csrfExpires = '+10 minutes'; $this->Security->csrfExpires = '+10 minutes';
$this->Security->Session->write('_Token.csrfTokens', array( $this->Security->Session->write('_Token.csrfTokens', array(
'valid' => strtotime('+30 minutes'),
'poof' => strtotime('-11 minutes'), 'poof' => strtotime('-11 minutes'),
'dust' => strtotime('-20 minutes') 'dust' => strtotime('-20 minutes')
)); ));
$this->Security->startup($this->Controller); $this->Security->startup($this->Controller);
$tokens = $this->Security->Session->read('_Token.csrfTokens'); $tokens = $this->Security->Session->read('_Token.csrfTokens');
$this->assertEquals(1, count($tokens), 'Too many tokens left behind'); $this->assertEquals(2, count($tokens), 'Too many tokens left behind');
$this->assertNotEmpty('valid', $tokens, 'Valid token was removed.');
} }
/** /**