Skip to content

Commit

Permalink
Store a single CSRF token per session
Browse files Browse the repository at this point in the history 
Signed-off-by: Patrick Uiterwijk <patrick@puiterwijk.org>
  • Loading branch information
@puiterwijk
puiterwijk committed Dec 8, 2017
1 parent 26f8f82 commit 42b864c
Showing 1 changed file with 5 additions and 4 deletions.
9 changes: 5 additions & 4 deletions flask_oidc/__init__.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -532,10 +532,11 @@ def redirect_to_auth_server(self, destination, customstate=None):
.. deprecated:: 1.0
Use :func:`require_login` instead.
"""
csrf_token = urlsafe_b64encode(os.urandom(24)).decode('utf-8')
session['oidc_csrf_token'] = csrf_token
if 'oidc_csrf_token' not in session:
csrf_token = urlsafe_b64encode(os.urandom(24)).decode('utf-8')
session['oidc_csrf_token'] = csrf_token
state = {
'csrf_token': csrf_token,
'csrf_token': session['oidc_csrf_token'],
}
statefield = 'destination'
statevalue = destination
Expand Down Expand Up @@ -662,7 +663,7 @@ def _process_callback(self, statefield):
"""
# retrieve session and callback variables
try:
session_csrf_token = session.pop('oidc_csrf_token')
session_csrf_token = session.get('oidc_csrf_token')

state = _json_loads(urlsafe_b64decode(request.args['state'].encode('utf-8')))
csrf_token = state['csrf_token']
Expand Down

0 comments on commit 42b864c

Please sign in to comment.
pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy