Hi! > Did you read RFC? > It does not enable CSRF protection for all website, but only when it is > enabled.
The RFC says: "Default: session.csrf_protection=1". Which means all sites would have it (for POST) unless they specifically disable it by changing configuration. Also, new variants do not account for existence of other HTTP methods such as PUT, DELETE, etc. Value "2" also makes little sense - why would you want to protect GET, but not POST? -- Stas Malyshev smalys...@gmail.com -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
