From 57c2ca7f26a7dd7633d65c396c4f0feba7e44210 Mon Sep 17 00:00:00 2001 From: wxiaoguang Date: Wed, 6 Apr 2022 23:47:58 +0800 Subject: [PATCH] Fix invalid CSRF token bug, make sure CSRF tokens can be up-to-date (#19338) There was a bug that the CSRF token wouldn't in 24h. This fix just does what the CSRF function comment says: If this request is a GET request, it will generate a new token. Then the CSRF token can be kept up-to-date. --- modules/context/csrf.go | 1 + 1 file changed, 1 insertion(+) diff --git a/modules/context/csrf.go b/modules/context/csrf.go index 8d179ca904..66ea6bd0a3 100644 --- a/modules/context/csrf.go +++ b/modules/context/csrf.go @@ -229,6 +229,7 @@ func Csrfer(opt CsrfOptions, ctx *Context) CSRF { } } + needsNew = needsNew || ctx.Req.Method == "GET" // If this request is a Get request, it will generate a new token, make sure the token is always up-to-date. if needsNew { // FIXME: actionId. x.Token = GenerateToken(x.Secret, x.ID, "POST")