From 0240c21af6e999742c49bf00c57e3c6f5548eebd Mon Sep 17 00:00:00 2001
From: Ben Thomson <git@alfreido.com>
Date: Thu, 5 Sep 2019 11:33:10 +0800
Subject: [PATCH] Fail CSRF token checks if the session expires. (#4598)

Fixes #4595. Credit to @bennothommo
---
 modules/backend/classes/Controller.php | 2 +-
 modules/cms/classes/Controller.php     | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/modules/backend/classes/Controller.php b/modules/backend/classes/Controller.php
index b27d7b678..fd1e16119 100644
--- a/modules/backend/classes/Controller.php
+++ b/modules/backend/classes/Controller.php
@@ -786,7 +786,7 @@ class Controller extends ControllerBase
 
         $token = Request::input('_token') ?: Request::header('X-CSRF-TOKEN');
 
-        if (!strlen($token)) {
+        if (!strlen($token) || !strlen(Session::token())) {
             return false;
         }
 
diff --git a/modules/cms/classes/Controller.php b/modules/cms/classes/Controller.php
index 1bb899373..1887c6811 100644
--- a/modules/cms/classes/Controller.php
+++ b/modules/cms/classes/Controller.php
@@ -1596,7 +1596,7 @@ class Controller
 
         $token = Request::input('_token') ?: Request::header('X-CSRF-TOKEN');
 
-        if (!strlen($token)) {
+        if (!strlen($token) || !strlen(Session::token())) {
             return false;
         }