Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:93158
Return-Path: <t.carnage@gmail.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 93987 invoked from network); 10 May 2016 17:20:30 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 10 May 2016 17:20:30 -0000
Authentication-Results: pb1.pair.com smtp.mail=t.carnage@gmail.com; spf=pass; sender-id=pass
Authentication-Results: pb1.pair.com header.from=t.carnage@gmail.com; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.215.46 as permitted sender)
X-PHP-List-Original-Sender: t.carnage@gmail.com
X-Host-Fingerprint: 209.85.215.46 mail-lf0-f46.google.com  
Received: from [209.85.215.46] ([209.85.215.46:36758] helo=mail-lf0-f46.google.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id BF/25-63163-C5812375 for <internals@lists.php.net>; Tue, 10 May 2016 13:20:29 -0400
Received: by mail-lf0-f46.google.com with SMTP id u64so22698442lff.3
        for <internals@lists.php.net>; Tue, 10 May 2016 10:20:28 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20120113;
        h=mime-version:in-reply-to:references:date:message-id:subject:from:to
         :cc;
        bh=w1RVGoRrEhRcLqnTtiKBvP3UT6K7EBYUDyGPA2gDSaM=;
        b=bblyAI6VZbX4piG3VQZQIvKFJd5JwbmZNOJfUJtZhmGi0/Ne/CWzLiBpXmWK4N+Nuc
         hhs2xaBD+52DVLnOvaeq/tTrgJaBK3mNhDTnGDK33yb11yCuMjhlrHPr8ivySXCrez0Q
         n27gA5kT27NzDCuXmeA19V+pYgByZHzm3Ay433ZpV+dKOrhf68oFj5h48dx04Dwr91Cz
         +6Ye1WfJHjG3hQdfJjr92wJyOyOyxcBWO9ThedU5e2ZgBHsvE++/fzmUQ44++9deNgMV
         FxxjmqE/3WDuYf5ORhdxP9F2WNRZjPUDUO/lB1t3tcDzEFEaARjDZZAv+Y4ID6JNGxWs
         lXxA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20130820;
        h=x-gm-message-state:mime-version:in-reply-to:references:date
         :message-id:subject:from:to:cc;
        bh=w1RVGoRrEhRcLqnTtiKBvP3UT6K7EBYUDyGPA2gDSaM=;
        b=IRhaB8Bs+v598TNoGWjoXFLOuT6BNnalZ/yBEuzOK5lonjq8THWt1YH4orgCBBqYNN
         CkRfIJlS0JNR9/yWsf8YmTl6tqDk6X+rA0KdTZJbR3PGueOnqTriSU+l2i2/aTsdoLUz
         gre1Z3aj9yhZ6xjtn8nGV8oCII9bnyw8N+VN7n10wGSa+SWyCqxn3DiKsGUL+fzscF7b
         DUbq1mvbIE2cBW+iwZ3bgzcQ3K4iAF+TmjyHPp+xqDAPDHhsDdGsE6bY++5FesJ5lwJD
         hG6ZC3UckBtr5K4kcQc8I6pyvazYo+9QxP4xrbot2CnCaZROPzJLb1fLsyG16jEegijc
         4LNA==
X-Gm-Message-State: AOPr4FUoFomNbAqc9oWmBgqnu4tryysAJpYKTN2sdYEqraS/PW3LcsadDI6sGqwBdnuO2opOG7WiVPxgjPCnYw==
MIME-Version: 1.0
X-Received: by 10.112.62.165 with SMTP id z5mr14906955lbr.89.1462900826270;
 Tue, 10 May 2016 10:20:26 -0700 (PDT)
Received: by 10.112.0.200 with HTTP; Tue, 10 May 2016 10:20:26 -0700 (PDT)
In-Reply-To: <2e590aa5-9345-02e5-c1a4-7e0470c6c5a3@fleshgrinder.com>
References: <CAGa2bXZytbD1H-Rg5eWfiPwEM0p47JSQH-GC-ZayDSLbmbsGVA@mail.gmail.com>
	<2e590aa5-9345-02e5-c1a4-7e0470c6c5a3@fleshgrinder.com>
Date: Tue, 10 May 2016 18:20:26 +0100
Message-ID: <CABHuAWzpN3MgMuy6-t4ONNj3GRS0SaGgtduxJc1TmLmGxZ7_ag@mail.gmail.com>
To: PHP internals <internals@lists.php.net>
Cc: Yasuo Ohgaki <yohgaki@ohgaki.net>
Content-Type: multipart/alternative; boundary=001a11c3e7fc1775ed0532802406
Subject: Re: [PHP-DEV] [RFC DRAFT] Automatic CSRF Protection
From: t.carnage@gmail.com (Chris Riley)

--001a11c3e7fc1775ed0532802406
Content-Type: text/plain; charset=UTF-8

On 10 May 2016 at 17:48, Fleshgrinder <php@fleshgrinder.com> wrote:

> On 5/10/2016 5:24 AM, Yasuo Ohgaki wrote:
> > Hi all,
> >
> > It's not nice to work on the same code (i.e. session module) for
> > multiple RFCs, but time is limited.
> >
> > I would like to hear from ideas/comments before I write patch for this.
> > https://wiki.php.net/rfc/automatic_csrf_protection
> >
> > Thank you for your comments.
> >
> > Regards,
> >
> > P.S. Precise session ID management is important, but this one is also
> > important. I'll finish and start voting 2 active session RFCs soon. I
> > may finish all of them hopefully.
> >
>
> -1 CSRF protection is a very specific need of some parts of a website
> and not something that is universally required.
>
> --
> Richard "Fleshgrinder" Fussenegger
>
>
Sorry but this isn't something that the language should be concerning
itself with. It will cause more pain than it's worth (think magic quotes).

Also, you suggest that PHP should raise an error on session_start if the
validation fails, most of the time if my app gets a csrf failure an error
would be inappropriate as I'd want to handle it myself and display for
example a form validation error message instead of blowing up the whole
script.

Given that this feature is optional it will do nothing to improve security
whilst adding pain to developers who are producing apps designed to run in
multiple environments eg drupal/wordpress etc so a big -1 from me.

--001a11c3e7fc1775ed0532802406--