Post from tablet seems to have gone missing ... On 11/05/16 16:41, Andrey Andreev wrote: > On Wed, May 11, 2016 at 5:46 PM, Lester Caine <les...@lsces.co.uk> wrote: > >> On 11/05/16 14:40, Andrey Andreev wrote: >>> Therefore, while the session store *after login* is suitable for token >>> storage, CSRF protection by default just doesn't belong in ext/session. >> >> If I am using php simply to 'add detail' to an element of a page that >> does not require the client to be logged in then I don't see any ned to >> enable CSRF, but one of the options on that anonymous guest page may >> well be a login button. Surely a large percentage of php traffic does >> not need any security, only DoS filtering? UNTIL one is identified one >> does not need a secure connection? Although I can see that some people >> would want to ensure that anonymous content was 'secure', but isn't that >> the job of https? >> > Your login form too needs CSRF protection. It's a chicken and egg problem.
Most of my sites have the login button hidden in the general content so people can access the back office system from anywhere. THAT takes you to the login page. > A lot could be written on the rest of your comments, but they are not > relevant to the RFC. 'Automatic CSRF Protection' is again just part of a bigger problem. One thing which has changed in recent months is the availability of free https certificates, the one thing that has up until now blocked a more general switch TO https? But again, I don't see that this proposal makes any sense when all the frameworks I've seen already have their own managed csrf systems ... and enforce https links when using them? -- Lester Caine - G8HFL ----------------------------- Contact - http://lsces.co.uk/wiki/?page=contact L.S.Caine Electronic Services - http://lsces.co.uk EnquirySolve - http://enquirysolve.com/ Model Engineers Digital Workshop - http://medw.co.uk Rainbow Digital Media - http://rainbowdigitalmedia.co.uk -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
