csrf: Always rotate the token to prevent double submissions

include/class.csrf.php

@@ -71,7 +71,11 @@ Class CSRF {
     }
 
     function validateToken($token) {
-        return ($token && trim($token)==$this->getToken() && !$this->isExpired());
+        $rv = $token && trim($token)==$this->getToken() && !$this->isExpired();
+        // Prevent the token from being reused
+        if ($rv && !defined('AJAX_REQUEST'))
+            $this->rotate();
+        return $rv;
     }
 
     function getFormInput($name='') {

include/class.osticket.php

@@ -111,8 +111,8 @@ class osTicket {
         return ($token && $this->getCSRF()->validateToken($token));
     }
 
-    function checkCSRFToken($name='') {
-        $name = $name?$name:$this->getCSRF()->getTokenName();
+    function checkCSRFToken($name=false) {
+        $name = $name ?: $this->getCSRF()->getTokenName();
         if(isset($_POST[$name]) && $this->validateCSRFToken($_POST[$name]))
             return true;