Hi, This gets a -1 from me as well. Much has been said already about why this is a bad idea, to the point where I don't know why there's still discussion around it. But here's one more reason ...
It assumes, and thus also encourages, that users have an active session at all times - this is bad. You're not supposed to start a session for a user *until they have logged-in*. If you do, then unless you're not storing session data server-side (which is hard to do properly and is not supported by ext/session), you're almost certainly vulnerable to some form of DoS (e.g. inodes and/or memory/storage being filled-up), exhaustion of free IDs, entropy available for new session ID generation, pre-fetching of IDs to work around use_strict_mode restrictions, etc. Therefore, while the session store *after login* is suitable for token storage, CSRF protection by default just doesn't belong in ext/session. Cheers, Andrey.
