diff --git a/session.py b/session.py index b1a0b62..ccda7bb 100644 --- a/session.py +++ b/session.py @@ -22,7 +22,8 @@ class SessionPlugin(object): return redirect(self.loginpage) kwargs[self.keyword] = User(uid) if request.method == 'POST': - if request.forms['csrf'] != request.get_cookie('csrf'): + if request.forms['csrf'] != request.get_cookie('csrf', + secret=db.get_secret()): abort(400) return callback(*args, **kwargs) diff --git a/user.py b/user.py index 4ec7fc8..4ff1db1 100644 --- a/user.py +++ b/user.py @@ -15,10 +15,10 @@ class User(object): response.set_cookie('csrf', self.get_csrf(), db.get_secret(), path='/') def get_csrf(self): - csrf_token = request.get_cookie('csrf') + csrf_token = request.get_cookie('csrf', secret=db.get_secret()) if not csrf_token: - allchar = "1234567890" - csrf_token = "".join(choice(allchar) for x in [32]) + allchar = "0123456789" + csrf_token = "".join(choice(allchar) for x in range(32)) return csrf_token def check_password(self, password):