/** * * Updates this object with current values. * * This helps to maintain transitions between not having a session and * then having one; in the non-session state, there will be no token, * so we can't expect its presence until the next page load. * * @return void * */ protected function _update() { if (self::$_updated) { // already updated with current values return; } // lazy-start the session if one exists self::$_session->lazyStart(); if (!self::$_session->isStarted()) { // not started, nothing left to do return; } // the session has started. is there an existing csrf token? if (self::$_session->has('token')) { // retain the existing token self::$_current = self::$_session->get('token'); } else { // no token, create a new one for the session. // we're transitioning from a non-token state, and // incoming forms won't have it yet, so we don't retain // the new token as the current value. self::$_session->set('token', uniqid(mt_rand(), true)); } self::$_updated = true; }