From 6c0540aa2d6e0fe0fa89e4fd35bba4be5d6cece7 Mon Sep 17 00:00:00 2001 From: Alexander Makarov Date: Sun, 14 Jan 2018 02:13:24 +0300 Subject: [PATCH] Fixes #15496: CSRF token is now regenerated on changing identity --- framework/CHANGELOG.md | 2 ++ framework/web/User.php | 3 +++ tests/framework/helpers/UrlTest.php | 1 + 3 files changed, 6 insertions(+) diff --git a/framework/CHANGELOG.md b/framework/CHANGELOG.md index 0565af452f..4c8f340ea5 100644 --- a/framework/CHANGELOG.md +++ b/framework/CHANGELOG.md @@ -3,6 +3,8 @@ Yii Framework 2 Change Log 2.0.14 under development ------------------------ + +- Enh #15496: CSRF token is now regenerated on changing identity (samdark, rhertogh) - Enh #15417: Added `yii\validators\FileValidator::$minFiles` (vladis84) - Bug #8983: Only truncate the original log file for rotation (matthewyang, developeruz) - Bug #14157: Add support for loading default value `CURRENT_TIMESTAMP` of MySQL `datetime` field (rossoneri) diff --git a/framework/web/User.php b/framework/web/User.php index 6104d2d01e..35314934d6 100644 --- a/framework/web/User.php +++ b/framework/web/User.php @@ -641,6 +641,9 @@ class User extends Component $this->sendIdentityCookie($identity, $duration); } } + + // regenerate CSRF token + Yii::$app->getRequest()->getCsrfToken(true); } /** diff --git a/tests/framework/helpers/UrlTest.php b/tests/framework/helpers/UrlTest.php index a9e6e91e33..cf57f15078 100644 --- a/tests/framework/helpers/UrlTest.php +++ b/tests/framework/helpers/UrlTest.php @@ -29,6 +29,7 @@ class UrlTest extends TestCase 'components' => [ 'request' => [ 'class' => 'yii\web\Request', + 'cookieValidationKey' => '123', 'scriptUrl' => '/base/index.php', 'hostInfo' => 'http://example.com/', 'url' => '/base/index.php&r=site%2Fcurrent&id=42',