Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:93213 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 8955 invoked from network); 11 May 2016 08:05:48 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 11 May 2016 08:05:48 -0000 Authentication-Results: pb1.pair.com header.from=yohgaki@gmail.com; sender-id=pass Authentication-Results: pb1.pair.com smtp.mail=yohgaki@gmail.com; spf=pass; sender-id=pass Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.192.46 as permitted sender) X-PHP-List-Original-Sender: yohgaki@gmail.com X-Host-Fingerprint: 209.85.192.46 mail-qg0-f46.google.com Received: from [209.85.192.46] ([209.85.192.46:33658] helo=mail-qg0-f46.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id B3/E2-28272-BD7E2375 for ; Wed, 11 May 2016 04:05:47 -0400 Received: by mail-qg0-f46.google.com with SMTP id f92so19885356qgf.0 for ; Wed, 11 May 2016 01:05:47 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc; bh=H3GdoRe8GGwV6gvDUVmPe/zwwT3saTKjrpm1v85UfcE=; b=tD65bjc7bz4j3GGIkfgrsQZ3CLSbTglqHPFXr8i9cDTG9nhDq2OtBiK7kGGqRZT/UW vjyPMNAz7n/5J7LpBkGkRUytlvTp0FXW4ruHWDJluzHVZY5WqPqin91h5ZC6XmSA2+jX OXHp1pRU/dNtBH81LuDv7Kk/OZR7xk+IvgUTNGc87CkirLe0lm15jiMh/gPHTtXxQ6y8 oyIQwd3IjbmEIS0l72jWrYaVd2s8yO4Uq6t00pjFIwMrrz4mSSarZESotEqiJ2laiIB/ QL8PletkujJLIVmI6E+ofkDnsRFRG+BoE7eUObOg6I3uluj53YN16o/0PQFszmuScjTa hgMw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:sender:in-reply-to:references:from :date:message-id:subject:to:cc; bh=H3GdoRe8GGwV6gvDUVmPe/zwwT3saTKjrpm1v85UfcE=; b=AqrEpnCMH2721/9qCWDDw6lhzAP8aVH3XX14c6/5DrlIcr9RMz0IcCIX+umsH4bXt5 emeu8m5Z8J0JqmBQ0ScVgB3J1efHgYUlJ0E7LYUw8cHfTHGjAgTM47xPis7A00jlZxRP SUTVEei4S8NS9eZcq7BhFF7WDRspctTDGfYh3N0Qj7z/+Wenm3+jqn3YF/sf4TvzoGTv QgNiKpdtUkNYXYSRHpqUrd+mu0q1b7pAo+5KTiZwKSBSbW0COMTWCEJktdnzUIS9pVd3 2Xl1yi/9Rt10OVNb9z3I6euRKK2gDo/DFU3juriMQydjX6d+JtFdxOp2jGh6W2XWTu4B nzkw== X-Gm-Message-State: AOPr4FUyvUIQIRDxVAk1kgtZ3GbHI8QOUpmJmrK54MLFptMiAbcMH6+gmHkkcP8iL7az1EdrsWvKGFrgJiAkBA== X-Received: by 10.140.19.6 with SMTP id 6mr1822104qgg.75.1462953944935; Wed, 11 May 2016 01:05:44 -0700 (PDT) MIME-Version: 1.0 Sender: yohgaki@gmail.com Received: by 10.140.27.133 with HTTP; Wed, 11 May 2016 01:05:05 -0700 (PDT) In-Reply-To: References: <3b115b37-d399-0b69-24b4-de5c95c4a069@gmail.com> Date: Wed, 11 May 2016 17:05:05 +0900 X-Google-Sender-Auth: I7G8GDQHXgYhyUZ0yN9y_0Ce-PE Message-ID: To: Arvids Godjuks Cc: Niklas Keller , Stanislav Malyshev , "internals@lists.php.net" Content-Type: text/plain; charset=UTF-8 Subject: Re: [PHP-DEV] [RFC DRAFT] Automatic CSRF Protection From: yohgaki@ohgaki.net (Yasuo Ohgaki) Hi Arvids, On Wed, May 11, 2016 at 4:33 PM, Arvids Godjuks wrote: > i'm -1 on the CSRF in the sessions at all. Even more -1 on having it on by > default and having any INI settings that affect how engine processes data in > runtime. > People just don't learn until they shotgun themselves I guess. Override them if you don't like admins to set INI values. I've modified session_start() so that it can set INI values as function parameter. http://php.net/session_start > What I personally would be for, is a CSRF aPI module that comes as default, > like the Password API one, that gives ability to generate good quality CSRF > tokens and manage it. Imagine number of CSRF vulnerabilities in PHP apps. It's countless. Letting users to choose right way is not an good options. It is proven. I've added session.use_strict_mode (disallows permanent session hijack, etc) many years ago, but fair number of users aren't enabling this option. I suspect most majority of users aren't enabled it. Even if we provide solution, it's hard to be adopted. If there is no solution, outcome is easy to imagine. IMHO. Users had access to good PRNG. Even if mt_rand() is used, it is hard enough for attackers to guess, yet there are countless CSRF vulnerabilities. What's the reason to ignore the fact, huge number of CSRF vulnerabilities exist in PHP apps? I cannot understand rationale behind you and others think it should be users task completely... Regards, -- Yasuo Ohgaki yohgaki@ohgaki.net