+ my $secret = $get_csrfr_secret->();
+
+ # FIXME: remove with PVE 7 and/or refactor all into PVE::Ticket ?
+ if ($token =~ m/^([A-Z0-9]{8}):(\S+)$/) {
+ my $sig = $2;
+ if (length($sig) == 27) {
+ # the legacy secret got populated by above get_csrfr_secret call
+ $secret = $csrf_prevention_secret_legacy;
+ }
+ }