From 7f8b2fca894440ed100305b1b229a770fa667f10 Mon Sep 17 00:00:00 2001
From: YuFei Zhu <phil@mohc.net>
Date: Tue, 1 May 2012 13:18:42 +0100
Subject: [PATCH] update token methods to ensure csrf token is always get
 setted

---
 src/messenger/webim/libs/common.php | 16 ++++++++++++----
 1 file changed, 12 insertions(+), 4 deletions(-)

diff --git a/src/messenger/webim/libs/common.php b/src/messenger/webim/libs/common.php
index a1138da7..ad5e1586 100644
--- a/src/messenger/webim/libs/common.php
+++ b/src/messenger/webim/libs/common.php
@@ -690,10 +690,7 @@ function jspath()
 
 /* authorization token check for CSRF attack */
 function csrfchecktoken(){
-  /* if auth token not set, set it now */
-  if(!isset($_SESSION['csrf_token'])){
-      $_SESSION['csrf_token']=sha1(rand(10000000,99999999));
-  }
+  setcsrftoken();
 
   // check the turing code for post requests and del requests
   if ($_SERVER['REQUEST_METHOD'] == 'POST'){
@@ -712,12 +709,23 @@ function csrfchecktoken(){
 
 /* print csrf token as a hidden field*/
 function print_csrf_token_input(){
+  setcsrftoken();
+
   echo "<input name='csrf_token' type='hidden' value='".$_SESSION['csrf_token']."' />";
 }
 
 /* print csrf token in url format */
 function print_csrf_token_in_url(){
+  setcsrftoken();
+  
   echo "&amp;csrf_token=".$_SESSION['csrf_token'];
 }
 
+/* set csrf token */
+function setcsrftoken(){
+  if(!isset($_SESSION['csrf_token'])){
+      $_SESSION['csrf_token']=sha1(rand(10000000,99999999));
+  }
+}
+
 ?>