From bb94b39745cc1b38dcc6fb12b7ec028cde3a4a11 Mon Sep 17 00:00:00 2001
From: Roeland Jago Douma <roeland@famdouma.nl>
Date: Mon, 13 Mar 2017 22:14:11 +0100
Subject: [PATCH] Do not clear CSRF token on logout (fix for #1303)

This is a hacky way to allow the use case of #1303.

What happens is

1. User tries to login
2. PreLoginHook kicks in and figures out that the user need to change
their LDAP password or whatever => redirects user
3. While loading the redirect some logic of ours kicks in and logouts
the user (thus clearing the session).
4. We render the new page but now the session and the page disagree
about the CSRF token

This is kind of hacky but I don't think it introduces new attack
vectors.

Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
---
 lib/private/Session/CryptoSessionData.php | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/lib/private/Session/CryptoSessionData.php b/lib/private/Session/CryptoSessionData.php
index 58020edf66..4e0b852cb3 100644
--- a/lib/private/Session/CryptoSessionData.php
+++ b/lib/private/Session/CryptoSessionData.php
@@ -129,7 +129,11 @@ class CryptoSessionData implements \ArrayAccess, ISession {
 	 * Reset and recreate the session
 	 */
 	public function clear() {
+		$requesttoken = $this->get('requesttoken');
 		$this->sessionValues = [];
+		if ($requesttoken !== null) {
+			$this->set('requesttoken', $requesttoken);
+		}
 		$this->isModified = true;
 		$this->session->clear();
 	}