Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:93143 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 57206 invoked from network); 10 May 2016 11:05:15 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 10 May 2016 11:05:15 -0000 Authentication-Results: pb1.pair.com smtp.mail=yohgaki@gmail.com; spf=pass; sender-id=pass Authentication-Results: pb1.pair.com header.from=yohgaki@gmail.com; sender-id=pass Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.220.182 as permitted sender) X-PHP-List-Original-Sender: yohgaki@gmail.com X-Host-Fingerprint: 209.85.220.182 mail-qk0-f182.google.com Received: from [209.85.220.182] ([209.85.220.182:36035] helo=mail-qk0-f182.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 96/31-49800-A60C1375 for ; Tue, 10 May 2016 07:05:14 -0400 Received: by mail-qk0-f182.google.com with SMTP id x7so4093209qkd.3 for ; Tue, 10 May 2016 04:05:14 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc; bh=xIVBHs6/n6fSfNxHlUmYcCvTLygp5jYsRUFPv62tFqM=; b=AugxEtLpg8MAE2KAtqunW8mvEuFS4w62ceKlLjNh+ZP/OQUUmjIHAB9Ymrae5eXFjL i75mi9haav9g/OQcnFO//v6A70g0G1PNRk0nqT0K67GoWyMWIwyD25UK0X5F38/LLNUu yvQ7gELCwFzYCtXruawRtMpgZ1yZNQwQ3xDs8d45t0AFLV/lADrO5xA7qHMOLwRQByuo sYG/0hOitvapnwjWST7IQHGVMu3J4VlpnISZoGVokoph+rVEgYnVVp28PnXyTiezxbka ZZZLWizQsOiHemzOS+rLwjX4suzPJJUfgdFAVD35nHKMKGuxrisEKy2Ec/bBQt14QXLD mgSA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:sender:in-reply-to:references:from :date:message-id:subject:to:cc; bh=xIVBHs6/n6fSfNxHlUmYcCvTLygp5jYsRUFPv62tFqM=; b=T2xeLTI3WHyBo3wZsFLhdovf4kfdlbvqzbq4HNHyXI7I/ZlgrY1L1W8h0p48k7tgKS qSk6DlnM80GaiAig6+jNNwoXOH+T8R3X5wqs3F+WfnahrbNJg2uq5C8eRw8tPMp+/p7x G7lyirbsyFX+a2+x1vEXm6dJBVTsvhrYKxBI2PbksxgavgUKprQ7nGXTPAnyetObO76Z p9rF6hfpQT2XCHckFssDAPnVNutAL+OmUclcNE+s4a7jxKorB4/M7NCtZ/AUHvbMlJVb qusBC0uiDHXyBURw+ycG0hL6KQRAKRW7o3ApnMhTOiKqkCtI+We+3Rl/Uk5l5pwPY8As 29zw== X-Gm-Message-State: AOPr4FXTCrj3RvVoufpixWllcECmKBLWdwySheg0LixeoB7x0vrzLfmjfQSQ0+FDqskZhqoIzCk3XAKP+LDikw== X-Received: by 10.55.118.71 with SMTP id r68mr41702761qkc.198.1462878311809; Tue, 10 May 2016 04:05:11 -0700 (PDT) MIME-Version: 1.0 Sender: yohgaki@gmail.com Received: by 10.140.27.133 with HTTP; Tue, 10 May 2016 04:04:32 -0700 (PDT) In-Reply-To: References: Date: Tue, 10 May 2016 20:04:32 +0900 X-Google-Sender-Auth: zRbUoKfUq8jFxOcAoLLmhKxONuA Message-ID: To: Stanislav Malyshev Cc: "internals@lists.php.net" Content-Type: text/plain; charset=UTF-8 Subject: Re: [PHP-DEV] [RFC DRAFT] Automatic CSRF Protection From: yohgaki@ohgaki.net (Yasuo Ohgaki) Hi Stas, On Tue, May 10, 2016 at 1:44 PM, Stanislav Malyshev wrote: >> I would like to hear from ideas/comments before I write patch for this. >> https://wiki.php.net/rfc/automatic_csrf_protection > > Could you explain a bit more - when token validation happens? Where the > SESSCSRF comes from? Does this mean that every session application now > has to support URL rewrite? What happens with applications that do not > produce HTML at all, such as REST, or those that produce data further > modified by Javascript frontend? when token validation happens? - As soon as session_start() is executed. Where the SESSCSRF comes from? - Session module generates random CSRF generation key from php_ranbom_bytes(). It generate SESSCSRF SHA1 hash value by using the key and ttl value. Does this mean that every session application now has to support URL rewrite? - No. URL rewriter is used transparently from applications. What happens with applications that do not produce HTML at all, such as REST, - These apps may add SESSCSRF value manually. or those that produce data further modified by Javascript frontend? - JS code may add SESSCSRF value manually. Thank you for clarification! Regards, -- Yasuo Ohgaki yohgaki@ohgaki.net