Hi! > To protect all of URLs automatically, all URLs need to have token. > That's the reason why all URLs have token. The risk is the same as > Trans SID session management.
But not all URLs need protecting. There are a lot of URLs that do not need protecting - and there are a lot of actions, especially in modern web application, that aren't achieved by simply clicking the link in the browser. Modern web application is usually a combination of backend and frontend logic, and if you have any frontend logic driven by XHR or such, URL rewriting is not going to work. > Because of likelihood of the vulnerability, it's better provide basic > infrastructure. IMO. It's possible to give more control to users. The problem is the RFC proposes to give less control to users - namely, the defaults proposed are likely to break an average application *and* not provide CSRF protection for it. -- Stas Malyshev smalys...@gmail.com -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
