- session removal fix (CSRF)

Author: Marius Cramer

interface/lib/classes/tform_base.inc.php

@@ -714,8 +714,8 @@ protected function _encode($record, $tab, $dbencode = true, $api = false) {
 					unset($_POST);
 					unset($record);
 				}
-				$_SESSION['_csrf'][$_csrf_id] = ' ';
-				$_SESSION['_csrf_timeout'][$_csrf_id] = ' ';
+				$_SESSION['_csrf'][$_csrf_id] = null;
+				$_SESSION['_csrf_timeout'][$_csrf_id] = null;
 				unset($_SESSION['_csrf'][$_csrf_id]);
 				unset($_SESSION['_csrf_timeout'][$_csrf_id]);
 
@@ -725,6 +725,8 @@ protected function _encode($record, $tab, $dbencode = true, $api = false) {
 						if($timeout < time()) $to_unset[] = $_csrf_id;
 					}
 					foreach($to_unset as $_csrf_id) {
+						$_SESSION['_csrf'][$_csrf_id] = null;
+						$_SESSION['_csrf_timeout'][$_csrf_id] = null;
 						unset($_SESSION['_csrf'][$_csrf_id]);
 						unset($_SESSION['_csrf_timeout'][$_csrf_id]);
 					}