From 69463ded6b2514709c8b1d89ea413f00829a7a79 Mon Sep 17 00:00:00 2001
From: YuFei Zhu <phil@mohc.net>
Date: Tue, 1 May 2012 13:18:42 +0100
Subject: [PATCH] update token methods to ensure csrf token is always get
 setted

---
 src/messenger/webim/libs/common.php | 16 ++++++++++++----
 1 file changed, 12 insertions(+), 4 deletions(-)

diff --git a/src/messenger/webim/libs/common.php b/src/messenger/webim/libs/common.php
index c6d39e12..e40b1a8d 100644
--- a/src/messenger/webim/libs/common.php
+++ b/src/messenger/webim/libs/common.php
@@ -767,10 +767,7 @@ function jspath()
 
 /* authorization token check for CSRF attack */
 function csrfchecktoken(){
-  /* if auth token not set, set it now */
-  if(!isset($_SESSION['csrf_token'])){
-      $_SESSION['csrf_token']=sha1(rand(10000000,99999999));
-  }
+  setcsrftoken();
 
   // check the turing code for post requests and del requests
   if ($_SERVER['REQUEST_METHOD'] == 'POST'){
@@ -789,12 +786,23 @@ function csrfchecktoken(){
 
 /* print csrf token as a hidden field*/
 function print_csrf_token_input(){
+  setcsrftoken();
+
   echo "<input name='csrf_token' type='hidden' value='".$_SESSION['csrf_token']."' />";
 }
 
 /* print csrf token in url format */
 function print_csrf_token_in_url(){
+  setcsrftoken();
+  
   echo "&amp;csrf_token=".$_SESSION['csrf_token'];
 }
 
+/* set csrf token */
+function setcsrftoken(){
+  if(!isset($_SESSION['csrf_token'])){
+      $_SESSION['csrf_token']=sha1(rand(10000000,99999999));
+  }
+}
+
 ?>