On 11/05/16 14:40, Andrey Andreev wrote: > Therefore, while the session store *after login* is suitable for token > storage, CSRF protection by default just doesn't belong in ext/session.
If I am using php simply to 'add detail' to an element of a page that does not require the client to be logged in then I don't see any ned to enable CSRF, but one of the options on that anonymous guest page may well be a login button. Surely a large percentage of php traffic does not need any security, only DoS filtering? UNTIL one is identified one does not need a secure connection? Although I can see that some people would want to ensure that anonymous content was 'secure', but isn't that the job of https? -- Lester Caine - G8HFL ----------------------------- Contact - http://lsces.co.uk/wiki/?page=contact L.S.Caine Electronic Services - http://lsces.co.uk EnquirySolve - http://enquirysolve.com/ Model Engineers Digital Workshop - http://medw.co.uk Rainbow Digital Media - http://rainbowdigitalmedia.co.uk -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
