Running 1.5.0 locally with no add-ons. If a customer signs in, adds something to their cart, and starts the checkout process but then gets distracted so that the session timeout kicks in, the next time they press a "Continue" button they're taken to the page_not_found page.

I've traced this issue down to the following code section within /includes/init_includes/init_sanitize.php:

Code:
  $csrfBlackListLocal = array();
  $csrfBlackList = (isset($csrfBlackListCustom)) ? array_merge($csrfBlackListLocal, $csrfBlackListCustom) : $csrfBlackListLocal;
  if (! isset ( $_SESSION ['securityToken'] ))
  {
    $_SESSION ['securityToken'] = md5 ( uniqid ( rand (), true ) );
  }
  if ((isset ( $_GET ['action'] ) || isset($_POST['action']) ) && $_SERVER['REQUEST_METHOD'] == 'POST')
  {
    $mainPage = isset($_GET['main_page']) ? $_GET['main_page'] : FILENAME_DEFAULT;
    if (!in_array($mainPage, $csrfBlackList))
    {
      if ((! isset ( $_SESSION ['securityToken'] ) || ! isset ( $_POST ['securityToken'] )) || ($_SESSION ['securityToken'] !== $_POST ['securityToken']))
      {
        zen_redirect ( zen_href_link ( FILENAME_PAGE_NOT_FOUND, '', $request_type ) );
      }
    }
  }
What is happening is that the securityToken is getting reset (due to the session timeout) so that the value in the $_SESSION is not equal to the value in the $_POST array. While the $mainPage value is valid, the $csrfBlackList array value is empty, resulting ultimately in a redirect to the page_not_found page.

I'm not sure what the $csrfBlackList code is supposed to be doing (it was added for v1.5.0), so I'm wont to simply remove it.

Any help would be appreciated.