Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:93206 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 95486 invoked from network); 11 May 2016 06:54:50 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 11 May 2016 06:54:50 -0000 Authentication-Results: pb1.pair.com smtp.mail=yohgaki@gmail.com; spf=pass; sender-id=pass Authentication-Results: pb1.pair.com header.from=yohgaki@gmail.com; sender-id=pass Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.192.41 as permitted sender) X-PHP-List-Original-Sender: yohgaki@gmail.com X-Host-Fingerprint: 209.85.192.41 mail-qg0-f41.google.com Received: from [209.85.192.41] ([209.85.192.41:35690] helo=mail-qg0-f41.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 18/50-28272-937D2375 for ; Wed, 11 May 2016 02:54:50 -0400 Received: by mail-qg0-f41.google.com with SMTP id f74so19235969qge.2 for ; Tue, 10 May 2016 23:54:49 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc; bh=TX4c69bnoap/xgpnzUz0gwCIXQl5uomii+2plJHFags=; b=l49uI5WHSiDPyf4TMBUu25EWyjJe8FMMxAG8kSB1veVjW9CRrotY1gKW7d8HGIrVnG hwq/AE4oZDqUEl6YfZxBUNP0gV51Xnf5BuXWsqmaNM6N8EHnhmq4q+DQ8+a2tlPwBgdu eW3BRx1ixGhsBPdHa6bUJLAxULCpPuY6v7F7mWaTVbry+yCyW/xRssnIIioPhgE7eGwq k46xVDZx9IGyvxbOxHpk5Kczo+dQ8tOXMPTur1uxn8L7JsxDT0Te6Tcnbej8CcoTj+m5 3KEPX7+NB7/FvYOme+Cod8hvd4hnKbabf0JgHI7haSpR+vzDwgoS823SLa7NRYDsCc+S RPAQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:sender:in-reply-to:references:from :date:message-id:subject:to:cc; bh=TX4c69bnoap/xgpnzUz0gwCIXQl5uomii+2plJHFags=; b=GOLqmxhx1HTk8Dug06Y9X5fc9oYzzzGPJ3eAR5UX58uUHYV40zkWAfItR+1rFAucYW 7QfaauyMuHWi67pkd9LA/8ElCpV0cgC4ag1ojYXVMYhxV1MeKOSsGHRyDbIHysjuvOuF 0ysrQLek/j8SwpnI2Fx3lfXJuPMSDnZknNu8qwqABgUMXE7nZzjt6SPHW48iYPB9Pktv qSvMAhtR6nSnGM3YbH573wGTeFECM8FCgtlqjUX0J/tFFBXyC0lVcrcfTYpk5/IvBxiv euh5LZLqQ68qUN0Z8T1Sf9MG7DATnlsEIs/4IY9+azWW38pjlYU9O3ZeMZLx5uk7oFeH Hb7A== X-Gm-Message-State: AOPr4FXR4VL2tVR1TaCo3QpnxSZ7rCdBOBXKVVWbkyvcGy5NTR/kb3FXRTwMmuotzPD/Xm0cSDvIaYH3+MeyVA== X-Received: by 10.140.196.74 with SMTP id r71mr1652286qha.41.1462949687201; Tue, 10 May 2016 23:54:47 -0700 (PDT) MIME-Version: 1.0 Sender: yohgaki@gmail.com Received: by 10.140.27.133 with HTTP; Tue, 10 May 2016 23:54:07 -0700 (PDT) In-Reply-To: References: Date: Wed, 11 May 2016 15:54:07 +0900 X-Google-Sender-Auth: lrZY3MM_b3qULaNCKTdRFy4wVLw Message-ID: To: Pierre Joye Cc: PHP internals Content-Type: text/plain; charset=UTF-8 Subject: Re: [PHP-DEV] [RFC DRAFT] Automatic CSRF Protection From: yohgaki@ohgaki.net (Yasuo Ohgaki) Hi Pierre, On Wed, May 11, 2016 at 2:19 PM, Pierre Joye wrote: > On May 11, 2016 11:46 AM, "Yasuo Ohgaki" wrote: > >> Thank you for your comments. I've updated the RFC. You might like this >> version. >> > > I still think we should not have that in core. If we do, it should be > controlled by the application implementation and not ini settings (some > routes may have it, other not, some route may have different ttl etc). I am > not even sure it should be part of the session module. > > Sessions are per definiton easy. Implement them correctly (whatever that > means) is hard. Adding csrf to ext/session feels like adding auth methods as > well. Both csrf ans auth may need sessions but they are not part of the > session features. Session, authenticity, authentication cannot divide into independent parts, but they are dependent by its nature. Whether we like it or not, session is a part of authenticity/authentication. (I'm not going to add authentication feature. Session's task is to store authentication "flag", but I think authenticity is part of session) Current session module provide authenticity partially and it could provide good authenticity check with relatively simple change. This is what I would like to change by this RFC. I fully agree that implementations of proper session, authenticity, authentication are hard. They are not simple tasks and could be implemented badly like many applications in the wild. If these tasks are easy and almost all developers/applications do them correctly, I would not bother. Unfortunately, it's not. PHP has to be provided basic utility to web developers for the task. IMO. PHP is made for easy web application development. This RFC could provide easy, yet good enough, CSRF protection when only POST is used. It's just a matter of SESSION_CSRF_POST, 'csrf_validate'=>SESSION_CSRF_POST]); // Do something useful w/o caring CSRF if data modification is // done by POST only. ?> We are in micro service era. Full featured frameworks should not be required for simple request/response applications. It should be something like SESSION_CSRF_POST, 'csrf_validate'=>SESSION_CSRF_POST]); // Do something useful w/o caring CSRF if data modification is // done by POST only. check_authentication_and_authorization_if_not_redirect_to_appropriate_page_and_exit(); output_json_response(do_some_usuful_data_update_by($_POST)); ?> This is simple, fast and maintainable. There are many simple data retrieval/modification APIs now. This is what I would like to achieve. What is good about this RFC is applications that use only POST for data modifications could be protected w/o single line of code modification. And most importantly, it's easy to implement this :) So I don't see reasons let it developers burden. Regards, -- Yasuo Ohgaki yohgaki@ohgaki.net