Fix invalid CSRF token bug, make sure CSRF tokens can be up-to-date (#19338)

There was a bug that the CSRF token wouldn't in 24h. This fix just does what the CSRF function comment says: If this request is a GET request, it will generate a new token. Then the CSRF token can be kept up-to-date.

diff --git a/modules/context/csrf.go b/modules/context/csrf.go
index 8d179ca904748f8efdcc7602b07d61e0f442729c..66ea6bd0a39994b0db5a066b858783bc5473340a 100644 (file)
--- a/modules/context/csrf.go
+++ b/modules/context/csrf.go
@@ -229,6 +229,7 @@ func Csrfer(opt CsrfOptions, ctx *Context) CSRF {
                }
        }
 
+       needsNew = needsNew || ctx.Req.Method == "GET" // If this request is a Get request, it will generate a new token, make sure the token is always up-to-date.
        if needsNew {
                // FIXME: actionId.
                x.Token = GenerateToken(x.Secret, x.ID, "POST")