Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:93184 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 48113 invoked from network); 11 May 2016 01:17:53 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 11 May 2016 01:17:53 -0000 Authentication-Results: pb1.pair.com smtp.mail=yohgaki@gmail.com; spf=pass; sender-id=pass Authentication-Results: pb1.pair.com header.from=yohgaki@gmail.com; sender-id=pass Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.192.42 as permitted sender) X-PHP-List-Original-Sender: yohgaki@gmail.com X-Host-Fingerprint: 209.85.192.42 mail-qg0-f42.google.com Received: from [209.85.192.42] ([209.85.192.42:34044] helo=mail-qg0-f42.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 16/1F-63163-04882375 for ; Tue, 10 May 2016 21:17:53 -0400 Received: by mail-qg0-f42.google.com with SMTP id 90so16576565qgz.1 for ; Tue, 10 May 2016 18:17:52 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc; bh=y+js+108aFzPgHNXTpUT85h2yOpcfbUTV5ci0KwDLJk=; b=FExvsvSzc5EL/18dOpZBSuBIiO+SrxRFVvg+KhorMfFW6a+n5DDv3AwA57sxs5FUH5 E+7sbZUyfnLNbfjPPkM7zsOtysxd4BF8X8YHyQUWx3x/dA02K6qmQdflYnMXr+mwAiQy WqY5Dxvo6PyvsOGHyKFE7bMHD+j1VG2x3Agy71YhTDugNndRLKxqiXNy/sK4mnJKhqOb vSJ0Cde4pCi/dS1g8LEOHGcnR/yJG2l8Z7Z9iVd2mwYq4oQg6YZv+Y38AjXrqU9d9BWk AhdlJV9wPKnVfsv5U2R1uDrGEZe98VpXp+dYmQs+J0w7cq0OVuoEDMc/sECDpW/j9iWr fPNg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:sender:in-reply-to:references:from :date:message-id:subject:to:cc; bh=y+js+108aFzPgHNXTpUT85h2yOpcfbUTV5ci0KwDLJk=; b=P2gWhFRjmEO+eZtuFVsPsEFz1Abu04ft6lWPH/xsyTK018VXGYg9T1wwWnGEv3VEKl Pg7ezIrTxLcaUPcjDcZYQQ7ln6IsxMlbWXY5xkq9e83RY2+WPsVMSBohvrQP46bx6ERK jyHI2ZaQugAV3kziN4TP2xP7DCNyVS0qE9dLzkTMCfsnmdIUY4bAvb72u/bmGy3NlMZQ iBNLRuBPggV9yxHiXLhU2hYaE4aaXlgbiBgG4DaRW9jOyHWZBvojKmfDswPyhaVmYKfp 0f9fo8OjdY+A6oYIVVId/zA7QsFshK1/IAYzsURyUYx9HDKGio9txpxzHOjLmBbFwCup 5zEA== X-Gm-Message-State: AOPr4FU+w43Yc9n2Gvz+chqsJv2etNFk4fbtVDRomUxRnsowJoSh5dtwlGrZaTYFqP7PQJjLBrX/t8K/Iuw5VQ== X-Received: by 10.140.196.74 with SMTP id r71mr614466qha.41.1462929470499; Tue, 10 May 2016 18:17:50 -0700 (PDT) MIME-Version: 1.0 Sender: yohgaki@gmail.com Received: by 10.140.27.133 with HTTP; Tue, 10 May 2016 18:17:10 -0700 (PDT) In-Reply-To: References: <3b115b37-d399-0b69-24b4-de5c95c4a069@gmail.com> Date: Wed, 11 May 2016 10:17:10 +0900 X-Google-Sender-Auth: LkhBr51NQ-YOcc7F3e2rwUOHGt8 Message-ID: To: Stanislav Malyshev Cc: "internals@lists.php.net" Content-Type: text/plain; charset=UTF-8 Subject: Re: [PHP-DEV] [RFC DRAFT] Automatic CSRF Protection From: yohgaki@ohgaki.net (Yasuo Ohgaki) Hi Stas, On Wed, May 11, 2016 at 7:58 AM, Stanislav Malyshev wrote: >>> Add where? And where that value would come from? RFC says nothing about >>> that. >> >> As usual. Query parameter when GET is used. Additional input when POST >> is used. All users have to do is adding CSRF token to JS program. > > GET and POST aren't the only HTTP methods. And where JS program would > get the correct token from? As far as I can see, there's no function in > the RFC that produces it. JS code that does not have pages at all may obtain CSRF token manually. get_csrf_token.php SESSION_CSRF_GET]); echo json_encode(['SESSCSRF'=>SESSCSRF]); ?> then JS apps may use the token. Users must be careful for CSRF token TTL. Regards, -- Yasuo Ohgaki yohgaki@ohgaki.net