Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:93240
Return-Path: <lester@lsces.co.uk>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 66144 invoked from network); 11 May 2016 14:46:11 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 11 May 2016 14:46:11 -0000
Authentication-Results: pb1.pair.com smtp.mail=lester@lsces.co.uk; spf=permerror; sender-id=unknown
Authentication-Results: pb1.pair.com header.from=lester@lsces.co.uk; sender-id=unknown
Received-SPF: error (pb1.pair.com: domain lsces.co.uk from 217.147.176.214 cause and error)
X-PHP-List-Original-Sender: lester@lsces.co.uk
X-Host-Fingerprint: 217.147.176.214 mail4-2.serversure.net Linux 2.6
Received: from [217.147.176.214] ([217.147.176.214:56784] helo=mail4.serversure.net)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id EB/CD-28272-1B543375 for <internals@lists.php.net>; Wed, 11 May 2016 10:46:10 -0400
Received: (qmail 31958 invoked by uid 89); 11 May 2016 14:46:07 -0000
Received: by simscan 1.3.1 ppid: 31952, pid: 31955, t: 0.0750s
         scanners: attach: 1.3.1 clamav: 0.96/m:52/d:10677
Received: from unknown (HELO ?10.0.0.7?) (lester@rainbowdigitalmedia.org.uk@81.138.11.136)
  by mail4.serversure.net with ESMTPA; 11 May 2016 14:46:07 -0000
To: internals@lists.php.net
References: <CAGa2bXZytbD1H-Rg5eWfiPwEM0p47JSQH-GC-ZayDSLbmbsGVA@mail.gmail.com>
 <3b115b37-d399-0b69-24b4-de5c95c4a069@gmail.com>
 <CAGa2bXZwRK0GuXbT53B4w+h5ySiVJnJpo-d87Uiw-reYHi80zQ@mail.gmail.com>
 <CANUQDChxOeydBRLPrvuumf+edqJNKV+TOstGz66X_tg+Y7knPQ@mail.gmail.com>
 <CAGa2bXZC8Qp8-Ggyfj5+0X5aiktSX_AyfRdKAPXFZ=x4+A1XDQ@mail.gmail.com>
 <CANUQDCgi-P4=rWA5H+53_BcWyqeWaC_QOADUNMb_jV70KuhEPw@mail.gmail.com>
 <CAL0xaBFTF28h7ZTCkk=gn2=kepv0xe_Gk0+zjhmZzDmLJYU3-w@mail.gmail.com>
 <CAGa2bXbX_YhpJEr+9XjTb3xxgb2KTw=LEjC97A0vM4_WNiSvnA@mail.gmail.com>
 <CAL0xaBF8e7PhY_hqNYwNvxwRiha1=rUtLBfugUNC2FGf2FndzA@mail.gmail.com>
 <CAF+u_ByFOKd+CyCO5yO_2aSYf2GhLrqb6oLHcvKuNF6W7E+YGg@mail.gmail.com>
 <4667bb84-4401-4dd6-6193-fcf3aa6b3d48@gmail.com>
 <CAF+u_BxxZ-xG2cS-C97qx+WNccryd_0xvhgPbvdqfe7F_8mL0g@mail.gmail.com>
 <4d97846f-81d6-6cad-91ad-5e513a709e91@gmail.com>
 <CAF+u_BxnVg+cpeitxR4Lo0Z938fcNGYEDBKLe6XPq8RU3KH9cQ@mail.gmail.com>
 <CAPhkiZxWNtGhD_R=TO4sJF5ToinRxFK+5VhsjeUXsSDK-ts8Xg@mail.gmail.com>
Message-ID: <573345AF.9020206@lsces.co.uk>
Date: Wed, 11 May 2016 15:46:07 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101
 Thunderbird/38.7.0
MIME-Version: 1.0
In-Reply-To: <CAPhkiZxWNtGhD_R=TO4sJF5ToinRxFK+5VhsjeUXsSDK-ts8Xg@mail.gmail.com>
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 7bit
Subject: Re: [PHP-DEV] [RFC DRAFT] Automatic CSRF Protection
From: lester@lsces.co.uk (Lester Caine)

On 11/05/16 14:40, Andrey Andreev wrote:
> Therefore, while the session store *after login* is suitable for token
> storage, CSRF protection by default just doesn't belong in ext/session.

If I am using php simply to 'add detail' to an element of a page that
does not require the client to be logged in then I don't see any ned to
enable CSRF, but one of the options on that anonymous guest page may
well be a login button. Surely a large percentage of php traffic does
not need any security, only DoS filtering? UNTIL one is identified one
does not need a secure connection? Although I can see that some people
would want to ensure that anonymous content was 'secure', but isn't that
the job of https?

-- 
Lester Caine - G8HFL
-----------------------------
Contact - http://lsces.co.uk/wiki/?page=contact
L.S.Caine Electronic Services - http://lsces.co.uk
EnquirySolve - http://enquirysolve.com/
Model Engineers Digital Workshop - http://medw.co.uk
Rainbow Digital Media - http://rainbowdigitalmedia.co.uk