Hi Kinn, On Wed, May 11, 2016 at 11:56 AM, Kinn Julião <kin...@gmail.com> wrote: > The point with your example is: > The cross site can request the "get_csrf_token.php", store on its session > (even curl can save the session id cookie or whatever), get the token and > request the endpoint with the retrieved token and session id. > > Got it?
Wrong assumption. How would you set attacker's session ID to victim? BTW, session hijack/adoption is not scope of this RFC, but precise session management RFC. Regards, -- Yasuo Ohgaki yohg...@ohgaki.net -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
