/**
*
* Updates this object with current values.
*
* This helps to maintain transitions between not having a session and
* then having one; in the non-session state, there will be no token,
* so we can't expect its presence until the next page load.
*
* @return void
*
*/
protected function _update()
{
if (self::$_updated) {
// already updated with current values
return;
}
// lazy-start the session if one exists
self::$_session->lazyStart();
if (!self::$_session->isStarted()) {
// not started, nothing left to do
return;
}
// the session has started. is there an existing csrf token?
if (self::$_session->has('token')) {
// retain the existing token
self::$_current = self::$_session->get('token');
} else {
// no token, create a new one for the session.
// we're transitioning from a non-token state, and
// incoming forms won't have it yet, so we don't retain
// the new token as the current value.
self::$_session->set('token', uniqid(mt_rand(), true));
}
self::$_updated = true;
}
