CSRF tokens are deleted from the session after they've been consumed

o-alquimista · Oct 5, 2019 · a45fdf8 · a45fdf8
1 parent 25a3a00
commit a45fdf8
Showing 1 changed file with 8 additions and 1 deletion.
diff --git a/Fragments/Component/Security/Csrf/CsrfTokenManager.php b/Fragments/Component/Security/Csrf/CsrfTokenManager.php
@@ -57,8 +57,15 @@ public function isTokenValid($tokenReceived, $id)
         }
 
         $tokenStored = $this->session->get($tokenName);
+        $tokenValid = hash_equals($tokenStored, $tokenReceived);
 
-        return hash_equals($tokenStored, $tokenReceived);
+        if ($tokenValid) {
+            $this->session->destroy($tokenName);
+
+            return true;
+        }
+
+        return false;
     }
 
     private function generate()