From 621296d84fb68a3fbafb1b9d15cfe6f2c9f14f61 Mon Sep 17 00:00:00 2001
From: Laurent Destailleur <eldy@destailleur.fr>
Date: Sun, 26 Sep 2021 20:56:40 +0200
Subject: [PATCH] Fix implement CSRF protection by session (with option per
 call)

---
 htdocs/main.inc.php | 10 ++++++----
 1 file changed, 6 insertions(+), 4 deletions(-)

diff --git a/htdocs/main.inc.php b/htdocs/main.inc.php
index 1567df55a56..0a64a4a913e 100644
--- a/htdocs/main.inc.php
+++ b/htdocs/main.inc.php
@@ -450,10 +450,12 @@ if (!defined('NOTOKENRENEWAL') && !defined('NOSESSION')) {
 			$_SESSION['token'] = $_SESSION['newtoken'];
 		}
 
-		// Save in $_SESSION['newtoken'] what will be next token. Into forms, we will add param token = $_SESSION['newtoken']
-		$token = dol_hash(uniqid(mt_rand(), false), 'md5'); // Generates a hash of a random number. We don't need a secured hash, just a changing random value.
-		$_SESSION['newtoken'] = $token;
-		dol_syslog("NEW TOKEN generated by : " . $_SERVER['PHP_SELF'], LOG_DEBUG);
+		if (!isset($_SESSION['newtoken']) || getDolGlobalInt('MAIN_SECURITY_CSRF_TOKEN_RENEWAL_ON_EACH_CALL')) {
+			// Save in $_SESSION['newtoken'] what will be next token. Into forms, we will add param token = $_SESSION['newtoken']
+			$token = dol_hash(uniqid(mt_rand(), false), 'md5'); // Generates a hash of a random number. We don't need a secured hash, just a changing random value.
+			$_SESSION['newtoken'] = $token;
+			dol_syslog("NEW TOKEN generated by : " . $_SERVER['PHP_SELF'], LOG_DEBUG);
+		}
 	}
 }