Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:93181 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 42141 invoked from network); 11 May 2016 00:18:23 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 11 May 2016 00:18:23 -0000 Authentication-Results: pb1.pair.com header.from=yohgaki@gmail.com; sender-id=pass Authentication-Results: pb1.pair.com smtp.mail=yohgaki@gmail.com; spf=pass; sender-id=pass Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.220.175 as permitted sender) X-PHP-List-Original-Sender: yohgaki@gmail.com X-Host-Fingerprint: 209.85.220.175 mail-qk0-f175.google.com Received: from [209.85.220.175] ([209.85.220.175:33128] helo=mail-qk0-f175.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id B5/0E-63163-E4A72375 for ; Tue, 10 May 2016 20:18:23 -0400 Received: by mail-qk0-f175.google.com with SMTP id n63so16850793qkf.0 for ; Tue, 10 May 2016 17:18:22 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to; bh=ndzBRVP6gbE29/p4zdNiFll7xYZuSgvqTPxmnMR6zUk=; b=VhR49dR2ETBuxasUambyvObD6oXYm+WZE+d/sATQxcnHixiUwRueTTyubtB3JSe9ox ZO77xHvjrb0q4NOhLGRWjXA1yeWjnV3QNJswhxQtog8FCNG1/feNkavDduEvxbbTt/bc h/+wm0RVuGAifx8nfihs2wjLl7oy5C/KFZVhhxeysP19Q82n7IiGxFi71Hgg/cLOA+6P HmOXN4aTS7HTYSs3B2NB0+feKfuIP8QtNZ9nwq8nNlEQKbIJopmboDCGJlSddIOIkYku knEnacbgBxkJSp2xYWa1VGQiCsKmfV2Fvh1ylHR8mflwS6GSSxJ3PZsjRsXynhhLJyAw HK8Q== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:sender:in-reply-to:references:from :date:message-id:subject:to; bh=ndzBRVP6gbE29/p4zdNiFll7xYZuSgvqTPxmnMR6zUk=; b=FDyXiGw3zzQbfbjrHNW/gzEg1L+qxEiyxsM4JwPdNfJQBpcoH+v2eRQjuxqnRZLLYc Q4/Kpn1OmxeYqax06666bgiYQRyJ+WSZE9ZknLvCpxXnCzFjXLIQgfrvaAFMIeUr5bgV YaFBsPsxFN9p2S9NuXkYK+I88ivNBA6xT0Oj2Fwh5OibB4DwoBuid1fnNKJHp46FZfLr rR0m4W/CjfNl0Pm4Vf8ZS2ShaZaTza+r/2YDiauXQZxLh1MrlPupv7K7KY7HPsMz/yRV 1uTLdCDDuMdT8oNB+/7c+Pl0IpcpDRRooGeiKRfA7GRvOzl5Nd0x4Za2CLmM7Nd/Cjm2 z7mA== X-Gm-Message-State: AOPr4FVcwZDRwc7dtOFP21nslS6TYbgporBZx7Qj4eVutdldSzLMKVuQmDm1SuRLVbLOohPKqdptfI7KqTEVGg== X-Received: by 10.55.80.136 with SMTP id e130mr492213qkb.28.1462925899451; Tue, 10 May 2016 17:18:19 -0700 (PDT) MIME-Version: 1.0 Sender: yohgaki@gmail.com Received: by 10.140.27.133 with HTTP; Tue, 10 May 2016 17:17:39 -0700 (PDT) In-Reply-To: References: <2e590aa5-9345-02e5-c1a4-7e0470c6c5a3@fleshgrinder.com> Date: Wed, 11 May 2016 09:17:39 +0900 X-Google-Sender-Auth: 7RcfBoSs9sexJAMcnV-mowVJ3iA Message-ID: To: "internals@lists.php.net" Content-Type: text/plain; charset=UTF-8 Subject: Re: [PHP-DEV] [RFC DRAFT] Automatic CSRF Protection From: yohgaki@ohgaki.net (Yasuo Ohgaki) Hi, On Wed, May 11, 2016 at 7:06 AM, Yasuo Ohgaki wrote: > On Wed, May 11, 2016 at 1:48 AM, Fleshgrinder wrote: >> On 5/10/2016 5:24 AM, Yasuo Ohgaki wrote: >>> Hi all, >>> >>> It's not nice to work on the same code (i.e. session module) for >>> multiple RFCs, but time is limited. >>> >>> I would like to hear from ideas/comments before I write patch for this. >>> https://wiki.php.net/rfc/automatic_csrf_protection >>> >>> Thank you for your comments. >>> >>> Regards, >>> >>> P.S. Precise session ID management is important, but this one is also >>> important. I'll finish and start voting 2 active session RFCs soon. I >>> may finish all of them hopefully. >>> >> >> -1 CSRF protection is a very specific need of some parts of a website >> and not something that is universally required > > Did you read RFC? > It does not enable CSRF protection for all website, but only when it is enabled. Oops. I set default to protect. Fixed it. Thanks. Regards, -- Yasuo Ohgaki yohgaki@ohgaki.net