Merge pull request #664 from RahulKumarSaini/master

Make form_key/csrf token regeneration configurable.
Luracast · Aug 18, 2021 · 5919d80 · 5919d80
2 parents 777b00b + 82f210c
commit 5919d80
Showing 1 changed file with 7 additions and 0 deletions.
diff --git a/UI/Forms.php b/UI/Forms.php
@@ -48,6 +48,12 @@ class Forms implements iFilter
      * @var ValidationInfo
      */
     public static $validationInfo = null;
+    /**
+     * @var bool Should every instance of the form have unique form_key (csrf token)?
+     *
+     */
+    public static $form_key_regenerate = true;
+
     protected static $inputTypes = array(
         'hidden',
         'password',
@@ -434,6 +440,7 @@ public static function key($method = 'POST', $action = null)
             $action = Scope::get('Restler')->url;
         }
         $target = "$method $action";
+        static::$key = static::$form_key_regenerate ? static::$key : $_SESSION[static::FORM_KEY];
         if (empty(static::$key[$target])) {
             static::$key[$target] = md5($target . User::getIpAddress() . uniqid(mt_rand()));
         }