Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:93198 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 80978 invoked from network); 11 May 2016 05:19:42 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 11 May 2016 05:19:42 -0000 Authentication-Results: pb1.pair.com smtp.mail=pierre.php@gmail.com; spf=pass; sender-id=pass Authentication-Results: pb1.pair.com header.from=pierre.php@gmail.com; sender-id=pass Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.218.43 as permitted sender) X-PHP-List-Original-Sender: pierre.php@gmail.com X-Host-Fingerprint: 209.85.218.43 mail-oi0-f43.google.com Received: from [209.85.218.43] ([209.85.218.43:33827] helo=mail-oi0-f43.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 3B/93-64493-DE0C2375 for ; Wed, 11 May 2016 01:19:42 -0400 Received: by mail-oi0-f43.google.com with SMTP id k142so50610776oib.1 for ; Tue, 10 May 2016 22:19:41 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc; bh=/ZTbwq0lkTxdTSYxStSAttcei2/QUURGyYdT7vWiXWw=; b=aUxSlO14OZ6P/dGs79K2+klu83rs6F9AFC9h/7SBFtwTXRPQMNOHdUiSIEw9S5QWt2 +EV8tYpiIaOQHdtESxZdd6eu0BXoAU6D603e7qg0EWBjFz3n20Mm/6Xd3K6w+OXPUtbM 4CD0jXsiY0Q4eT0GSP70BT7z8lD2/dfLFxMJoNkMC5/uyGdRLG8KuNQZkeVz67jzYXmb YS+36RurtUVH8CPY22DFv3vaNMvGguwtFVrMZposyz5sxCb89zjgbJYKyvztsg15uMu9 y3GTQwjTVQu/YWqNyuYuGCQYtMv3VieI2rzFSUsUpy+gRHrWj8yQR1+QxQ5OZ5dOua28 RjQw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc; bh=/ZTbwq0lkTxdTSYxStSAttcei2/QUURGyYdT7vWiXWw=; b=O7OTIRW4pMH4eeVLMI8EqR+0TkirqwlXO05u6+UVZ6FiPt9gehbKX4jjktE+eq1LoN P38JiFp/dl3pwzcIyb9SRwB+JSfxHhR0dYVd+5NcQxWgUigQCDjYfOG1bGZwPGFtAjzq 1neTjpKAqCMFQ1u8U9Q0DvdXXTlO/NE6iZp1exdw+RK98nEYZxt3EFwPZGDkG6FepKxu 5bFgu2thU3NQRXU3BxvPzM84ay4xYxG2WFCGzL77iWGpDWeswV9VVHlUEdQIagDu3nal ENY8WjIgDDj1MdynfsnM/s9vHQlL3kk+ha61ezOdaFrGLz+uL9EzjFZR6Hh2v3nO7l3N a7Jw== X-Gm-Message-State: AOPr4FW2WZWiB6ZqQ0+L8E084Vx4wTsXD89hQYc9zCCwwRxk+xL6AwkeiO3aUeYtUaO570VITusKhM/AY8Pg7g== MIME-Version: 1.0 X-Received: by 10.157.63.52 with SMTP id m49mr838481otc.104.1462943978393; Tue, 10 May 2016 22:19:38 -0700 (PDT) Received: by 10.202.215.193 with HTTP; Tue, 10 May 2016 22:19:36 -0700 (PDT) Received: by 10.202.215.193 with HTTP; Tue, 10 May 2016 22:19:36 -0700 (PDT) In-Reply-To: References: Date: Wed, 11 May 2016 12:19:36 +0700 Message-ID: To: Yasuo Ohgaki Cc: PHP internals Content-Type: multipart/alternative; boundary=001a114734922898fd05328a30b9 Subject: Re: [PHP-DEV] [RFC DRAFT] Automatic CSRF Protection From: pierre.php@gmail.com (Pierre Joye) --001a114734922898fd05328a30b9 Content-Type: text/plain; charset=UTF-8 On May 11, 2016 11:46 AM, "Yasuo Ohgaki" wrote: > Thank you for your comments. I've updated the RFC. You might like this version. > I still think we should not have that in core. If we do, it should be controlled by the application implementation and not ini settings (some routes may have it, other not, some route may have different ttl etc). I am not even sure it should be part of the session module. Sessions are per definiton easy. Implement them correctly (whatever that means) is hard. Adding csrf to ext/session feels like adding auth methods as well. Both csrf ans auth may need sessions but they are not part of the session features. Cheers, Pierre --001a114734922898fd05328a30b9--