Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:93210
Return-Path: <arvids.godjuks@gmail.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 3389 invoked from network); 11 May 2016 07:33:47 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 11 May 2016 07:33:47 -0000
Authentication-Results: pb1.pair.com header.from=arvids.godjuks@gmail.com; sender-id=pass
Authentication-Results: pb1.pair.com smtp.mail=arvids.godjuks@gmail.com; spf=pass; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain gmail.com designates 74.125.82.43 as permitted sender)
X-PHP-List-Original-Sender: arvids.godjuks@gmail.com
X-Host-Fingerprint: 74.125.82.43 mail-wm0-f43.google.com  
Received: from [74.125.82.43] ([74.125.82.43:34613] helo=mail-wm0-f43.google.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id DD/C1-28272-A50E2375 for <internals@lists.php.net>; Wed, 11 May 2016 03:33:46 -0400
Received: by mail-wm0-f43.google.com with SMTP id v200so31579141wmv.1
        for <internals@lists.php.net>; Wed, 11 May 2016 00:33:46 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20120113;
        h=mime-version:in-reply-to:references:from:date:message-id:subject:to
         :cc;
        bh=sg2hFvcPY+096EdYiUlRF254irguFFidN7d0l4pxSAQ=;
        b=PaTpVIvJ6zzttP64YALL6BfgBJMoPaSIW4AalCB8vfD+GAaUSA/Y3oKPOn+uAr/WEC
         NmvE2UiJCRxi9TzmHDNfHyflu/iIanXx5+vp/t7K1nZD6RTHmMx/U4mbicPIfl7Ux1eX
         6IzLghIsKQ/sVVQ7Z26WBlYv/LY+kuB6S9y6gzrfwCJhEsd0N+3uoypLsWvcjyie0lYr
         y3P435OUkWDbQ+CHxbfb1kbdXWQZJlWsdyMVxFSejP1ixLrHlFEHfPY7QB2ehgmKhM6I
         7PId+0UJqeN1MgFa+KTTSan6X/XPd0Tck5SmFelMPgf211VvYCg619B7k/9AwQFoEMM7
         rleg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20130820;
        h=x-gm-message-state:mime-version:in-reply-to:references:from:date
         :message-id:subject:to:cc;
        bh=sg2hFvcPY+096EdYiUlRF254irguFFidN7d0l4pxSAQ=;
        b=DQSqOB4/qoufDZNsrIXKSPFjIkbJeakYkLomYU3aXds6P2RUbd9DbHoGthW9QoDU2X
         nllPFuEsUZ3E6phNqjamdVv0/24ilioLD8SeFHxXVnDecgC4a8T8TLgd2GybO7xXDYVq
         SHThl4MkPji9pwu9RyBcAOpcNbQCL+weukdGd9kRIvf2BuOc7nMzLLmAL2ha9GTGMJ6Q
         LatgHHoGQThM1ku4gAfOhwTOTxpscweTDX+O4SUetEF7WEg6TuuUJB1ZHUd9ASRKZd6y
         DGsxMHgRSvvsQIpGnCxAcOOIO7R5vH97lJElbjmHG2BusVhYo1s3uR1a/8vtWyqZMHUZ
         EaiA==
X-Gm-Message-State: AOPr4FWL1uYt18AZz4ttUY9DLpDKBTvODOWJFIxHzoqqhnnhJ6KJvJ2/bQaWg9oP/EPSWqZWGU3f2athztmlCg==
X-Received: by 10.28.215.1 with SMTP id o1mr22050366wmg.26.1462952024193; Wed,
 11 May 2016 00:33:44 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.194.115.167 with HTTP; Wed, 11 May 2016 00:33:24 -0700 (PDT)
In-Reply-To: <CANUQDCgi-P4=rWA5H+53_BcWyqeWaC_QOADUNMb_jV70KuhEPw@mail.gmail.com>
References: <CAGa2bXZytbD1H-Rg5eWfiPwEM0p47JSQH-GC-ZayDSLbmbsGVA@mail.gmail.com>
 <c21d1d4b-a790-e1a9-7c93-2c5af4baf5d1@gmail.com> <CAGa2bXboop3KDFnYtcdO-K+hL0To5te_yeHeFEFO-kCVuzNOJQ@mail.gmail.com>
 <3b115b37-d399-0b69-24b4-de5c95c4a069@gmail.com> <CAGa2bXZwRK0GuXbT53B4w+h5ySiVJnJpo-d87Uiw-reYHi80zQ@mail.gmail.com>
 <CANUQDChxOeydBRLPrvuumf+edqJNKV+TOstGz66X_tg+Y7knPQ@mail.gmail.com>
 <CAGa2bXZC8Qp8-Ggyfj5+0X5aiktSX_AyfRdKAPXFZ=x4+A1XDQ@mail.gmail.com> <CANUQDCgi-P4=rWA5H+53_BcWyqeWaC_QOADUNMb_jV70KuhEPw@mail.gmail.com>
Date: Wed, 11 May 2016 10:33:24 +0300
Message-ID: <CAL0xaBFTF28h7ZTCkk=gn2=kepv0xe_Gk0+zjhmZzDmLJYU3-w@mail.gmail.com>
To: Niklas Keller <me@kelunik.com>
Cc: Yasuo Ohgaki <yohgaki@ohgaki.net>, Stanislav Malyshev <smalyshev@gmail.com>, 
	"internals@lists.php.net" <internals@lists.php.net>
Content-Type: multipart/alternative; boundary=001a1146a02ab9bec005328c0fee
Subject: Re: [PHP-DEV] [RFC DRAFT] Automatic CSRF Protection
From: arvids.godjuks@gmail.com (Arvids Godjuks)

--001a1146a02ab9bec005328c0fee
Content-Type: text/plain; charset=UTF-8

Hi internals,

i'm -1 on the CSRF in the sessions at all. Even more -1 on having it on by
default and having any INI settings that affect how engine processes data
in runtime.
People just don't learn until they shotgun themselves I guess.

What I personally would be for, is a CSRF aPI module that comes as default,
like the Password API one, that gives ability to generate good quality CSRF
tokens and manage it.

--001a1146a02ab9bec005328c0fee--