From c43d0b18f282045f897aa86f990c8b748c728589 Mon Sep 17 00:00:00 2001
From: Thibaut Despoulain <thibaut.despoulain@bkcore.com>
Date: Wed, 26 Oct 2011 18:41:03 +0200
Subject: [PATCH] Added $multiple argument and support for reusable tokens (ie.
 for ajax-heavy pages)

Signed-off-by: Thibaut Despoulain <thibaut.despoulain@bkcore.com>
---
 example/example.php | 4 ++--
 example/nocsrf.php  | 7 +++++--
 nocsrf.php          | 7 +++++--
 3 files changed, 12 insertions(+), 6 deletions(-)

diff --git a/example/example.php b/example/example.php
index 47dcb56..5fc4f24 100644
--- a/example/example.php
+++ b/example/example.php
@@ -7,8 +7,8 @@
 {
     try
     {
-        // Run CSRF check, on POST data, in exception mode, for 10 minutes
-        NoCSRF::check( 'csrf_token', $_POST, true, 60*10 );
+        // Run CSRF check, on POST data, in exception mode, for 10 minutes, in one-time mode.
+        NoCSRF::check( 'csrf_token', $_POST, true, 60*10, false );
         // form parsing, DB inserts, etc.
         // ...
         $result = 'CSRF check passed. Form parsed.';
diff --git a/example/nocsrf.php b/example/nocsrf.php
index a6eb21e..4d76127 100644
--- a/example/nocsrf.php
+++ b/example/nocsrf.php
@@ -18,9 +18,10 @@ class NoCSRF
      * @param Mixed $origin The object/associative array to retreive the token data from (usually $_POST).
      * @param Boolean $throwException (Facultative) TRUE to throw exception on check fail, FALSE or default to return false.
      * @param Integer $timespan (Facultative) Makes the token expire after $timespan seconds. (null = never)
+	 * @param Boolean $multiple (Facultative) Makes the token reusable and not one-time. (Useful for ajax-heavy requests).
      * @return Boolean Returns FALSE if a CSRF attack is detected, TRUE otherwise.
      */
-    public static function check( $key, $origin, $throwException=false, $timespan=null )
+    public static function check( $key, $origin, $throwException=false, $timespan=null, $multiple=false )
     {
         if ( !isset( $_SESSION[ 'csrf_' . $key ] ) )
             if($throwException)
@@ -36,8 +37,10 @@ public static function check( $key, $origin, $throwException=false, $timespan=nu
 
         // Get valid token from session
         $hash = $_SESSION[ 'csrf_' . $key ];
+		
         // Free up session token for one-time CSRF token usage.
-        $_SESSION[ 'csrf_' . $key ] = null;
+		if(!$multiple)
+			$_SESSION[ 'csrf_' . $key ] = null;
         
         // Check if session token matches form token
         if ( $origin[ $key ] != $hash )
diff --git a/nocsrf.php b/nocsrf.php
index a6eb21e..4d76127 100644
--- a/nocsrf.php
+++ b/nocsrf.php
@@ -18,9 +18,10 @@ class NoCSRF
      * @param Mixed $origin The object/associative array to retreive the token data from (usually $_POST).
      * @param Boolean $throwException (Facultative) TRUE to throw exception on check fail, FALSE or default to return false.
      * @param Integer $timespan (Facultative) Makes the token expire after $timespan seconds. (null = never)
+	 * @param Boolean $multiple (Facultative) Makes the token reusable and not one-time. (Useful for ajax-heavy requests).
      * @return Boolean Returns FALSE if a CSRF attack is detected, TRUE otherwise.
      */
-    public static function check( $key, $origin, $throwException=false, $timespan=null )
+    public static function check( $key, $origin, $throwException=false, $timespan=null, $multiple=false )
     {
         if ( !isset( $_SESSION[ 'csrf_' . $key ] ) )
             if($throwException)
@@ -36,8 +37,10 @@ public static function check( $key, $origin, $throwException=false, $timespan=nu
 
         // Get valid token from session
         $hash = $_SESSION[ 'csrf_' . $key ];
+		
         // Free up session token for one-time CSRF token usage.
-        $_SESSION[ 'csrf_' . $key ] = null;
+		if(!$multiple)
+			$_SESSION[ 'csrf_' . $key ] = null;
         
         // Check if session token matches form token
         if ( $origin[ $key ] != $hash )