Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:93215 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 12475 invoked from network); 11 May 2016 08:30:31 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 11 May 2016 08:30:31 -0000 Authentication-Results: pb1.pair.com smtp.mail=yohgaki@gmail.com; spf=pass; sender-id=pass Authentication-Results: pb1.pair.com header.from=yohgaki@gmail.com; sender-id=pass Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.192.46 as permitted sender) X-PHP-List-Original-Sender: yohgaki@gmail.com X-Host-Fingerprint: 209.85.192.46 mail-qg0-f46.google.com Received: from [209.85.192.46] ([209.85.192.46:34653] helo=mail-qg0-f46.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 36/93-28272-6ADE2375 for ; Wed, 11 May 2016 04:30:30 -0400 Received: by mail-qg0-f46.google.com with SMTP id 90so20030014qgz.1 for ; Wed, 11 May 2016 01:30:30 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc; bh=a0BcP1bWLj9wYLM7hdTte9+vzUJPNIzNijwAZnFiUyk=; b=MKwFZTgXCgAb/xZExZ5SXtqcLx0Kn0pQkgAE8x8XDIzSGqgHJBJDuk2aU1nzErN4hJ ms/hK37fTkCDRflQtNf1T0XgE9XyZN/oeEmQaJCGM8IMp7cCMZ4AYdcCqIWRECYsXv5Z qgyQltlzMg8nv/Jm+KyxU4Lyg7WtTY8I+os8dckzZaHQnGe34vIYgDI+Kma0YMkt7Tix KW6uxmC5YVlbsJhS3aQlgVv7ui1GFKMpDp4R0R5zGP5jPY55tYanyWSdKXbMnWuGNxiD oWO4GXMMELaf5TXzr+VAWgFG0+90dcPiilniLAfLrEsiEQ8vjIj8qD786Sc4lFl30clH 7NjQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:sender:in-reply-to:references:from :date:message-id:subject:to:cc; bh=a0BcP1bWLj9wYLM7hdTte9+vzUJPNIzNijwAZnFiUyk=; b=c3zUYMNsV1GXh3sSkeW4qmEtlxzFBEvcpjpl+KoF+bJyQ3RjQU6iU/OgT39DvlA0XW EJiu5Qh7Z5e+xduIDKNt1CUVs1k7iAeD7MkX3VXJZu994au4Jz/BgflfVXLqQlylSNE/ EdLrqCBB5X0/I2pD4e8IbRNhNk+XjhUHO3eTH1mkz0oeZvZHpWpXPZ5aJTFx/YEFQm8L l7hgDzLbI6j5YrgBuyi9BSU1I3bdkMrWwIhKzk2/lli8jOA8ul41DwNKELSWK+phvwQG bxxWujbuxgB9+mnSbtKuM8H6EUdbRgm9iBMlo+seV1Qvls0FnHg5DMxV+rYSH2y5ro4n JCkg== X-Gm-Message-State: AOPr4FWjeuzTWmlC3HpzoMszigfR/3wZHWmw2G8QVoSQv8fF1XbxSLBgc0b8Ic+9FGDmBA/KEFjWK/vWH9ofpQ== X-Received: by 10.140.19.6 with SMTP id 6mr1907931qgg.75.1462955427863; Wed, 11 May 2016 01:30:27 -0700 (PDT) MIME-Version: 1.0 Sender: yohgaki@gmail.com Received: by 10.140.27.133 with HTTP; Wed, 11 May 2016 01:29:48 -0700 (PDT) In-Reply-To: References: <3b115b37-d399-0b69-24b4-de5c95c4a069@gmail.com> Date: Wed, 11 May 2016 17:29:48 +0900 X-Google-Sender-Auth: J9edips7v45_CyE8mv1oU9Dtfj4 Message-ID: To: Arvids Godjuks Cc: Niklas Keller , Stanislav Malyshev , "internals@lists.php.net" Content-Type: text/plain; charset=UTF-8 Subject: Re: [PHP-DEV] [RFC DRAFT] Automatic CSRF Protection From: yohgaki@ohgaki.net (Yasuo Ohgaki) Hi, Sorry for scattered mails. On Wed, May 11, 2016 at 5:05 PM, Yasuo Ohgaki wrote: >> What I personally would be for, is a CSRF aPI module that comes as default, >> like the Password API one, that gives ability to generate good quality CSRF >> tokens and manage it. Token generation is automatic, but this RFC supports fully manual CSRF validation, too. The RFC page only has semi manual example only. I'll add a example for this. Anyway, I fails to see the reason why PHP should not invalidate CSRF attacks against POST requests with 2 simple parameter or INI... Regards, -- Yasuo Ohgaki yohgaki@ohgaki.net