Form CSRF protection does not work with verificationKeyGenerator disabled #26
Description
The problem is that when I use a Form with CSRF protection (addProtection) and verificationKeyGenerator is set to FALSE, I can not log in.
I found the source of the problem on this line:
http://api.nettephp.com/1.0/__filesource/fsource_Nette-Web__WebSession.php.html#a115
When the verificationKeyGenerator is on, the condition will work as expected because $verKey can't be NULL. However, when the generator is turned off, $verKey will always be NULL. As a result, the session gets always reinitialized and all the data in it will be deleted (including the CSRF token).
Fixing the condition like this worked:
if (!isset($_SESSION['__NF']['C']))