Protect login against CSRF

refs #5626

application/forms/Authentication/LoginForm.php

@@ -11,12 +11,6 @@ use Icinga\Web\Form;
  */
 class LoginForm extends Form
 {
-    /**
-     * Disable CSRF protection
-     * @var bool
-     */
-    protected $tokenDisabled = true;
-
     /**
      * Interface how the form should be created
      */

library/Icinga/Web/Form.php

@@ -10,6 +10,7 @@ use Zend_Config;
 use Zend_Form_Element_Submit;
 use Zend_Form_Element_Reset;
 use Zend_View_Interface;
+use Icinga\Web\Session;
 use Icinga\Web\Form\Element\Note;
 use Icinga\Exception\ProgrammingError;
 use Icinga\Web\Form\Decorator\HelpText;
@@ -112,7 +113,7 @@ class Form extends Zend_Form
     public function getSessionId()
     {
         if (!$this->sessionId) {
-            $this->sessionId = session_id();
+            $this->sessionId = Session::getSession()->getId();
         }
 
         return $this->sessionId;

library/Icinga/Web/Session/PhpSession.php

@@ -191,6 +191,15 @@ class PhpSession extends Session
         }
     }
 
+    /**
+     * @see Session::getId()
+     */
+    public function getId()
+    {
+        $this->open(); // Make sure we actually get a id
+        return session_id();
+    }
+
     /**
      * Assign a new sessionId to the currently active session
      */

library/Icinga/Web/Session/Session.php

@@ -54,6 +54,13 @@ abstract class Session extends SessionNamespace
      */
     abstract public function refreshId();
 
+    /**
+     * Return the id of this session
+     *
+     * @return  string
+     */
+    abstract public function getId();
+
     /**
      * Get or create a new session namespace
      *