On 10 May 2016 at 17:48, Fleshgrinder <p...@fleshgrinder.com> wrote: > On 5/10/2016 5:24 AM, Yasuo Ohgaki wrote: > > Hi all, > > > > It's not nice to work on the same code (i.e. session module) for > > multiple RFCs, but time is limited. > > > > I would like to hear from ideas/comments before I write patch for this. > > https://wiki.php.net/rfc/automatic_csrf_protection > > > > Thank you for your comments. > > > > Regards, > > > > P.S. Precise session ID management is important, but this one is also > > important. I'll finish and start voting 2 active session RFCs soon. I > > may finish all of them hopefully. > > > > -1 CSRF protection is a very specific need of some parts of a website > and not something that is universally required. > > -- > Richard "Fleshgrinder" Fussenegger > > Sorry but this isn't something that the language should be concerning itself with. It will cause more pain than it's worth (think magic quotes).
Also, you suggest that PHP should raise an error on session_start if the validation fails, most of the time if my app gets a csrf failure an error would be inappropriate as I'd want to handle it myself and display for example a form validation error message instead of blowing up the whole script. Given that this feature is optional it will do nothing to improve security whilst adding pain to developers who are producing apps designed to run in multiple environments eg drupal/wordpress etc so a big -1 from me.
