[Form] throw an exception if session_id() is empty when a csrf token is generated

2010-10-24 17:48:15 +02:00 · 2010-10-24 17:48:15 +02:00 · a198bbcf43
commit a198bbcf43
parent 4c340c5cc9
2 changed files with 10 additions and 1 deletions
--- a/src/Symfony/Component/Form/Form.php
+++ b/src/Symfony/Component/Form/Form.php
@ -176,7 +176,11 @@ class Form extends FieldGroup
     */
    protected function generateCsrfToken($secret)
    {
-        return md5($secret.session_id().get_class($this));
+        $sessId = session_id();
+        if (!$sessId) {
+            throw new \LogicException('The session must be started in order to generate a proper CSRF Token');
+        }
+        return md5($secret.$sessId.get_class($this));
    }

    /**
--- a/tests/Symfony/Tests/Component/Form/FormTest.php
+++ b/tests/Symfony/Tests/Component/Form/FormTest.php
@ -47,6 +47,11 @@ class FormTest extends \PHPUnit_Framework_TestCase
    protected $validator;
    protected $form;

+    public static function setUpBeforeClass()
+    {
+        @session_start();
+    }
+
    protected function setUp()
    {
        Form::disableDefaultCsrfProtection();