Hi Stas, On Tue, May 10, 2016 at 1:44 PM, Stanislav Malyshev <smalys...@gmail.com> wrote: >> I would like to hear from ideas/comments before I write patch for this. >> https://wiki.php.net/rfc/automatic_csrf_protection > > Could you explain a bit more - when token validation happens? Where the > SESSCSRF comes from? Does this mean that every session application now > has to support URL rewrite? What happens with applications that do not > produce HTML at all, such as REST, or those that produce data further > modified by Javascript frontend?
when token validation happens? - As soon as session_start() is executed. Where the SESSCSRF comes from? - Session module generates random CSRF generation key from php_ranbom_bytes(). It generate SESSCSRF SHA1 hash value by using the key and ttl value. Does this mean that every session application now has to support URL rewrite? - No. URL rewriter is used transparently from applications. What happens with applications that do not produce HTML at all, such as REST, - These apps may add SESSCSRF value manually. or those that produce data further modified by Javascript frontend? - JS code may add SESSCSRF value manually. Thank you for clarification! Regards, -- Yasuo Ohgaki yohg...@ohgaki.net -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
