From 1ff367373f18e52c6482c63ad678d6476c9b27e2 Mon Sep 17 00:00:00 2001
From: Isaac Connor <iconnor@testing.internal.point-one.com>
Date: Fri, 5 May 2017 16:15:34 -0400
Subject: [PATCH] use ZM_AUTH_HASH_SECRET for the key, not the secret

---
 web/includes/csrf/csrf-magic.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/web/includes/csrf/csrf-magic.php b/web/includes/csrf/csrf-magic.php
index e51d39d15..787349dfb 100644
--- a/web/includes/csrf/csrf-magic.php
+++ b/web/includes/csrf/csrf-magic.php
@@ -102,7 +102,7 @@ $GLOBALS['csrf']['user'] = false;
  * tokens, and have Squid ignore that cookie for get requests, for anonymous
  * users. (If you haven't guessed, this scheme was(?) used for MediaWiki).
  */
-$GLOBALS['csrf']['key'] = false;
+$GLOBALS['csrf']['key'] = ZM_AUTH_HASH_SECRET;
 
 /**
  * The name of the magic CSRF token that will be placed in all forms, i.e.