Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:93154
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Received-SPF: error (pb1.pair.com: domain fleshgrinder.com from 212.232.25.164 cause and error)
Reply-To: internals@lists.php.net
References: <CAGa2bXZytbD1H-Rg5eWfiPwEM0p47JSQH-GC-ZayDSLbmbsGVA@mail.gmail.com>
To: Yasuo Ohgaki <yohgaki@ohgaki.net>,
 "internals@lists.php.net" <internals@lists.php.net>
Message-ID: <2e590aa5-9345-02e5-c1a4-7e0470c6c5a3@fleshgrinder.com>
Date: Tue, 10 May 2016 18:48:03 +0200
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:45.0) Gecko/20100101
 Thunderbird/45.0
MIME-Version: 1.0
In-Reply-To: <CAGa2bXZytbD1H-Rg5eWfiPwEM0p47JSQH-GC-ZayDSLbmbsGVA@mail.gmail.com>
Content-Type: multipart/signed; micalg=pgp-sha256;
 protocol="application/pgp-signature";
 boundary="Gsg4q9kiAllAH4d8FqFTkScNORPNiBQbV"
Subject: Re: [PHP-DEV] [RFC DRAFT] Automatic CSRF Protection
From: php@fleshgrinder.com (Fleshgrinder)

--Gsg4q9kiAllAH4d8FqFTkScNORPNiBQbV
Content-Type: multipart/mixed; boundary="m8hMKLB4ejeF5eJIMNSLtj0wjAdN4tHrH"
From: Fleshgrinder <php@fleshgrinder.com>
Reply-To: internals@lists.php.net
To: Yasuo Ohgaki <yohgaki@ohgaki.net>,
 "internals@lists.php.net" <internals@lists.php.net>
Message-ID: <2e590aa5-9345-02e5-c1a4-7e0470c6c5a3@fleshgrinder.com>
Subject: Re: [PHP-DEV] [RFC DRAFT] Automatic CSRF Protection
References: <CAGa2bXZytbD1H-Rg5eWfiPwEM0p47JSQH-GC-ZayDSLbmbsGVA@mail.gmail.com>
In-Reply-To: <CAGa2bXZytbD1H-Rg5eWfiPwEM0p47JSQH-GC-ZayDSLbmbsGVA@mail.gmail.com>

--m8hMKLB4ejeF5eJIMNSLtj0wjAdN4tHrH
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable

On 5/10/2016 5:24 AM, Yasuo Ohgaki wrote:
> Hi all,
>=20
> It's not nice to work on the same code (i.e. session module) for
> multiple RFCs, but time is limited.
>=20
> I would like to hear from ideas/comments before I write patch for this.=

> https://wiki.php.net/rfc/automatic_csrf_protection
>=20
> Thank you for your comments.
>=20
> Regards,
>=20
> P.S. Precise session ID management is important, but this one is also
> important. I'll finish and start voting 2 active session RFCs soon. I
> may finish all of them hopefully.
>=20

-1 CSRF protection is a very specific need of some parts of a website
and not something that is universally required.

--=20
Richard "Fleshgrinder" Fussenegger


--m8hMKLB4ejeF5eJIMNSLtj0wjAdN4tHrH--

--Gsg4q9kiAllAH4d8FqFTkScNORPNiBQbV
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBCAAGBQJXMhDHAAoJEOKkKcqFPVVrragP/RgsuIobHYiFXAh6e9Et8I4L
kqo45BRyl5iOGMJjoBRfO0TGm8h8mCnIybGijMPZ+WWuOKnThngHiUrILhR8t42U
4m7rFnY9iXqsErZoAENaaCkYiUgMN69ak4gVkyKRtWmmS9NSvdOOMtEBbKYJrsis
bzDpcRmex3od1XxxP/cHzeNn1koz9fhl1dzY0E4ktKVZZm3QxyZLB4/Qunx0LSrJ
CgPZsB3VI3w8Ee/eTkZlsZvIcTVdH8H8H6FGYdaiw1Oi+OL5y8GHmnUTIOEicoRs
HV11JvnKkgzVmSvr/c6ZrrEzSONdXvHqZc4GrEK82hyI/cLU480PHNTQCzoFKRIX
4taZ0mfAgxsgrhW8vCxAebhJ7ZbSxLsG6g8KTTG/XdJpNdkdqvq6947HJqMvSI6m
zkayNISm7bkYkqT8DxnoYstHAs4/6VI8s/v8b1aCfuKSQVbLW3BzjtN+6d0hZ+Jk
Z3MbsDKXEwPXjmsQ0mBZpGtC/QqGpAfZ98z9To6r/Maru1AvcWZWSyD8iv/+phNi
E0CIaV+5yy4bOxH/50x9kp1PspUdi/cqVWGTuQtVIo5xF/YB2xZTEukuWI/1b7vB
O8a7kFCs8nyHr8wUav8l7ZjBnxqB7097qQCNI8U9nxW/AmYhsmHJILRv+2sbEv7h
Sq956n6Fn2OZ1etdHD/u
=Nzxg
-----END PGP SIGNATURE-----

--Gsg4q9kiAllAH4d8FqFTkScNORPNiBQbV--