Switch CSRF token from per-request to per-session

This patch switches the CSRF token handling from per-request to per-session. The per-request behavior was overly aggressive, and it restricted parallel browsing (e.g. multiple open browser tabs).
fh-hillhacks · Dec 28, 2019 · e0d4def · e0d4def
1 parent 808c2c2
commit e0d4def
Showing 1 changed file with 1 addition and 1 deletion.
diff --git a/gavel/controllers/csrf_protection.py b/gavel/controllers/csrf_protection.py
@@ -5,7 +5,7 @@
 @app.before_request
 def csrf_protect():
     if request.method == "POST":
-        token = session.pop('_csrf_token', None)
+        token = session.get('_csrf_token', None)
         if not token or token != request.form.get('_csrf_token'):
             abort(403)