From b4f47a762338abe6ce3a6e3d6d0896b8a387228d Mon Sep 17 00:00:00 2001
From: Unknwon <u@gogs.io>
Date: Sat, 12 Mar 2016 20:56:03 -0500
Subject: [PATCH] #1891 attempt to fix invalid csrf token

---
 README.md                  | 2 +-
 cmd/web.go                 | 5 +++--
 glide.lock                 | 4 ++--
 gogs.go                    | 2 +-
 modules/setting/setting.go | 3 ++-
 routers/user/auth.go       | 6 ++++++
 templates/.VERSION         | 2 +-
 7 files changed, 16 insertions(+), 8 deletions(-)

diff --git a/README.md b/README.md
index c12d55e39c..1bd7fcb37d 100644
--- a/README.md
+++ b/README.md
@@ -3,7 +3,7 @@ Gogs - Go Git Service [![Build Status](https://travis-ci.org/gogits/gogs.svg?bra
 
 ![](https://github.com/gogits/gogs/blob/master/public/img/gogs-large-resize.png?raw=true)
 
-##### Current version: 0.9.7
+##### Current version: 0.9.8
 
 | Web | UI  | Preview  |
 |:-------------:|:-------:|:-------:|
diff --git a/cmd/web.go b/cmd/web.go
index 97bb03213b..3a63d0845d 100644
--- a/cmd/web.go
+++ b/cmd/web.go
@@ -81,12 +81,12 @@ func checkVersion() {
 		{"github.com/go-xorm/xorm", func() string { return xorm.Version }, "0.5.2.0304"},
 		{"github.com/go-macaron/binding", binding.Version, "0.2.1"},
 		{"github.com/go-macaron/cache", cache.Version, "0.1.2"},
-		{"github.com/go-macaron/csrf", csrf.Version, "0.0.5"},
+		{"github.com/go-macaron/csrf", csrf.Version, "0.1.0"},
 		{"github.com/go-macaron/i18n", i18n.Version, "0.2.0"},
 		{"github.com/go-macaron/session", session.Version, "0.1.6"},
 		{"github.com/go-macaron/toolbox", toolbox.Version, "0.1.0"},
 		{"gopkg.in/ini.v1", ini.Version, "1.8.4"},
-		{"gopkg.in/macaron.v1", macaron.Version, "1.1.1"},
+		{"gopkg.in/macaron.v1", macaron.Version, "1.1.2"},
 		{"github.com/gogits/git-module", git.Version, "0.2.9"},
 		{"github.com/gogits/go-gogs-client", gogs.Version, "0.7.3"},
 	}
@@ -158,6 +158,7 @@ func newMacaron() *macaron.Macaron {
 	m.Use(session.Sessioner(setting.SessionConfig))
 	m.Use(csrf.Csrfer(csrf.Options{
 		Secret:     setting.SecretKey,
+		Cookie:     setting.CSRFCookieName,
 		SetCookie:  true,
 		Header:     "X-Csrf-Token",
 		CookiePath: setting.AppSubUrl,
diff --git a/glide.lock b/glide.lock
index 87d0af2a5f..7b0b9310eb 100644
--- a/glide.lock
+++ b/glide.lock
@@ -17,7 +17,7 @@ imports:
 - name: github.com/go-macaron/captcha
   version: 8aa5919789ab301e865595eb4b1114d6b9847deb
 - name: github.com/go-macaron/csrf
-  version: 546646cf80d2feabea4e4098d2d824d5582f3416
+  version: 6a9a7df172cc1fcd81e4585f44b09200b6087cc0
 - name: github.com/go-macaron/gzip
   version: cad1c6580a07c56f5f6bc52d66002a05985c5854
 - name: github.com/go-macaron/i18n
@@ -127,7 +127,7 @@ imports:
 - name: gopkg.in/ldap.v2
   version: 07a7330929b9ee80495c88a4439657d89c7dbd87
 - name: gopkg.in/macaron.v1
-  version: 7c9e5e5b8c1176ce95a6f41b4e1cd60a44f8839d
+  version: 53b60f3c7d9e575050852ada71ec2953e8d685ad
 - name: gopkg.in/redis.v2
   version: e6179049628164864e6e84e973cfb56335748dea
 devImports: []
diff --git a/gogs.go b/gogs.go
index 2c3ade5430..062fa29bcd 100644
--- a/gogs.go
+++ b/gogs.go
@@ -17,7 +17,7 @@ import (
 	"github.com/gogits/gogs/modules/setting"
 )
 
-const APP_VER = "0.9.7.0312"
+const APP_VER = "0.9.8.0312"
 
 func init() {
 	runtime.GOMAXPROCS(runtime.NumCPU())
diff --git a/modules/setting/setting.go b/modules/setting/setting.go
index 5d117be41f..2fbc1f2cdc 100644
--- a/modules/setting/setting.go
+++ b/modules/setting/setting.go
@@ -156,7 +156,8 @@ var (
 	CacheConn     string
 
 	// Session settings
-	SessionConfig session.Options
+	SessionConfig  session.Options
+	CSRFCookieName = "_csrf"
 
 	// Git settings
 	Git struct {
diff --git a/routers/user/auth.go b/routers/user/auth.go
index 3af87c5844..646b878396 100644
--- a/routers/user/auth.go
+++ b/routers/user/auth.go
@@ -63,6 +63,7 @@ func AutoSignIn(ctx *context.Context) (bool, error) {
 	isSucceed = true
 	ctx.Session.Set("uid", u.Id)
 	ctx.Session.Set("uname", u.Name)
+	ctx.SetCookie(setting.CSRFCookieName, "", -1, setting.AppSubUrl)
 	return true, nil
 }
 
@@ -116,6 +117,10 @@ func SignInPost(ctx *context.Context, form auth.SignInForm) {
 
 	ctx.Session.Set("uid", u.Id)
 	ctx.Session.Set("uname", u.Name)
+
+	// Clear whatever CSRF has right now, force to generate a new one
+	ctx.SetCookie(setting.CSRFCookieName, "", -1, setting.AppSubUrl)
+
 	if redirectTo, _ := url.QueryUnescape(ctx.GetCookie("redirect_to")); len(redirectTo) > 0 {
 		ctx.SetCookie("redirect_to", "", -1, setting.AppSubUrl)
 		ctx.Redirect(redirectTo)
@@ -133,6 +138,7 @@ func SignOut(ctx *context.Context) {
 	ctx.Session.Delete("socialEmail")
 	ctx.SetCookie(setting.CookieUserName, "", -1, setting.AppSubUrl)
 	ctx.SetCookie(setting.CookieRememberName, "", -1, setting.AppSubUrl)
+	ctx.SetCookie(setting.CSRFCookieName, "", -1, setting.AppSubUrl)
 	ctx.Redirect(setting.AppSubUrl + "/")
 }
 
diff --git a/templates/.VERSION b/templates/.VERSION
index c378d4dd2d..bde4be41bf 100644
--- a/templates/.VERSION
+++ b/templates/.VERSION
@@ -1 +1 @@
-0.9.7.0312
\ No newline at end of file
+0.9.8.0312
\ No newline at end of file