Changed my mind. Never pop the CSRF token. Leave it around until

a new one replaces it.

4 files changed, 22 insertions, 22 deletions

diff --git a/docs/narr/csrf.rst b/docs/narr/csrf.rst
index 7d1ee6fea..7586b0ed7 100644
--- a/docs/narr/csrf.rst
+++ b/docs/narr/csrf.rst
@@ -28,35 +28,35 @@ To add a CSRF token to the session, use the ``session.new_csrf_token`` method.
 
 The ``.new_csrf_token`` method accepts no arguments.  It returns a *token*
 string, which will be opaque and randomized.  This token will also be set
-into the session, awaiting pickup by the ``session.pop_csrf_token`` method.
+into the session, awaiting pickup by the ``session.get_csrf_token`` method.
 You can subsequently use the returned token as the value of a hidden field in
 a form that posts to a method that requires elevated privileges.  The handler
-for the form post should use ``session.pop_csrf_token`` (explained below) to
-pop the current CSRF token related to the user from the session, and compare
-it to the value of the hidden form field.
+for the form post should use ``session.get_csrf_token`` (explained below) to
+obtain the current CSRF token related to the user from the session, and
+compare it to the value of the hidden form field.
 
-Using the ``session.pop_csrf_token`` Method
+Using the ``session.get_csrf_token`` Method
 -------------------------------------------
 
-To pop the current CSRF token from the session, use the
-``session.pop_csrf_token`` method.
+To get the current CSRF token from the session, use the
+``session.get_csrf_token`` method.
 
 .. code-block:: python
    :linenos:
 
-   token = request.session.pop_csrf_token()
+   token = request.session.get_csrf_token()
 
-The ``.pop_csrf_token`` method accepts no arguments.  It returns the
-"current" *token* string (as per the last call to
-``session.new_csrf_token``).  You can then use it to compare against the
-token provided within form post hidden value data.  For example, if your form
-rendering included the CSRF token obtained via ``session.new_csrf_token`` as
-a hidden input field named ``csrf_token``:
+The ``get_csrf_token`` method accepts no arguments.  It returns the "current"
+*token* string (as per the last call to ``session.new_csrf_token``).  You can
+then use it to compare against the token provided within form post hidden
+value data.  For example, if your form rendering included the CSRF token
+obtained via ``session.new_csrf_token`` as a hidden input field named
+``csrf_token``:
 
 .. code-block:: python
    :linenos:
 
-   token = request.session.pop_csrf_token()
+   token = request.session.get_csrf_token()
    if token != request.POST['csrf_token']:
        raise ValueError('CSRF token did not match')
 
diff --git a/pyramid/interfaces.py b/pyramid/interfaces.py
index aa537d633..32359ca94 100644
--- a/pyramid/interfaces.py
+++ b/pyramid/interfaces.py
@@ -484,8 +484,8 @@ class ISession(Interface):
         """ Create and set into the session a new, random cross-site request
         forgery protection token.  Return the token.  It will be a string."""
 
-    def pop_csrf_token(self):
-        """ Pop any CSRF token previously added to the session via
+    def get_csrf_token(self):
+        """ Get the CSRF token previously added to the session via
         ``new_csrf_token``, and return the token.  If no CSRF token exists,
         the value returned will be ``None``.
         """
diff --git a/pyramid/session.py b/pyramid/session.py
index b138af7c7..516815d99 100644
--- a/pyramid/session.py
+++ b/pyramid/session.py
@@ -193,8 +193,8 @@ def UnencryptedCookieSessionFactoryConfig(
             return token
 
         @manage_accessed
-        def pop_csrf_token(self):
-            return self.pop('_csrft_', None)
+        def get_csrf_token(self):
+            return self.get('_csrft_', None)
 
         # non-API methods
         def _set_cookie(self, response):
diff --git a/pyramid/tests/test_session.py b/pyramid/tests/test_session.py
index 449ef02a5..0e88b28cd 100644
--- a/pyramid/tests/test_session.py
+++ b/pyramid/tests/test_session.py
@@ -170,13 +170,13 @@ class TestUnencryptedCookieSession(unittest.TestCase):
         token = session.new_csrf_token()
         self.assertEqual(token, session['_csrft_'])
 
-    def test_pop_csrf_token(self):
+    def test_get_csrf_token(self):
         request = testing.DummyRequest()
         session = self._makeOne(request)
         session['_csrft_'] = 'token'
-        token = session.pop_csrf_token()
+        token = session.get_csrf_token()
         self.assertEqual(token, 'token')
-        self.failIf('_csrft_' in session)
+        self.failUnless('_csrft_' in session)
 
 class Test_manage_accessed(unittest.TestCase):
     def _makeOne(self, wrapped):