improve session security by not using secrets to generate the CSRF token

mojolicious · Oct 10, 2015 · b2088ea · b2088ea
1 parent 734c774
commit b2088ea
Show file tree

Hide file tree

Showing 2 changed files with 4 additions and 5 deletions.
diff --git a/Changes b/Changes
@@ -1,6 +1,7 @@
 
-6.24  2015-10-09
-  - Improved session security by not storing secrets in the stash.
+6.24  2015-10-10
+  - Improved session security by not storing secrets in the stash and not using
+    secrets to generate the CSRF token.
   - Improved commands to show all options that can affect their behavior.
 
 6.23  2015-10-06

diff --git a/lib/Mojolicious/Plugin/DefaultHelpers.pm b/lib/Mojolicious/Plugin/DefaultHelpers.pm
@@ -66,9 +66,7 @@ sub _content {
 }
 
 sub _csrf_token {
-  my $c = shift;
-  $c->session->{csrf_token}
-    ||= sha1_sum $c->app->secrets->[0] . steady_time . rand 999;
+  shift->session->{csrf_token} ||= sha1_sum $$ . steady_time . rand 999;
 }
 
 sub _current_route {