Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:93245
Return-Path: <me@kelunik.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 77128 invoked from network); 11 May 2016 16:17:01 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 11 May 2016 16:17:01 -0000
Authentication-Results: pb1.pair.com smtp.mail=me@kelunik.com; spf=permerror; sender-id=unknown
Authentication-Results: pb1.pair.com header.from=me@kelunik.com; sender-id=unknown
Received-SPF: error (pb1.pair.com: domain kelunik.com from 81.169.146.218 cause and error)
X-PHP-List-Original-Sender: me@kelunik.com
X-Host-Fingerprint: 81.169.146.218 mo4-p00-ob.smtp.rzone.de  
Received: from [81.169.146.218] ([81.169.146.218:39307] helo=mo4-p00-ob.smtp.rzone.de)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id 42/DF-28272-BFA53375 for <internals@lists.php.net>; Wed, 11 May 2016 12:17:00 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; t=1462983417; l=3636;
	s=domk; d=kelunik.com;
	h=Content-Type:Cc:To:From:Subject:Date:References:In-Reply-To:
	MIME-Version;
	bh=80bDPM5xNDnS57gpduAl58cA/rEmVElUV1eiE/ez9+E=;
	b=Vq6GT+Sfx11Or01Ab6fyigLSY8HIvM2adMCgfMhoeC2MIlTR7dRRX3iH7JmmjkHK6xn
	pyqbO60A9l4RzCdbuAhH7ulNyiSbaEAJ6k5YP5qLi9Y9aYUGNwKgZhSq4HXtRI8DIDojG
	VIcGZ+yTyfC3q/rQaOYFSuypoOTaPuXpBTU=
X-RZG-AUTH: :IWkkfkWkbvHsXQGmRYmUo9mls2vWuiu+7SLGvomb4bl9EfHtO3E6
X-RZG-CLASS-ID: mo00
Received: from mail-wm0-f42.google.com ([74.125.82.42])
	by smtp.strato.de (RZmta 37.26 AUTH)
	with ESMTPSA id c0643cs4BGGvRcI
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (curve secp384r1 with 384 ECDH bits, eq. 7680 bits RSA))
	(Client did not present a certificate)
	for <internals@lists.php.net>;
	Wed, 11 May 2016 18:16:57 +0200 (CEST)
Received: by mail-wm0-f42.google.com with SMTP id a17so91749405wme.0
        for <internals@lists.php.net>; Wed, 11 May 2016 09:16:57 -0700 (PDT)
X-Gm-Message-State: AOPr4FVCvDQXZfbtyUa08f9SX8iHvnEacl9wqJl2IkJ5WhsCY1v+IdCnZ6DtksQKP9K4Un5l+JWuHtYz2Ed46w==
MIME-Version: 1.0
X-Received: by 10.194.62.99 with SMTP id x3mr4730726wjr.128.1462983416982;
 Wed, 11 May 2016 09:16:56 -0700 (PDT)
Received: by 10.28.53.132 with HTTP; Wed, 11 May 2016 09:16:56 -0700 (PDT)
In-Reply-To: <CAPhkiZzX+QQmjDP1ES15cji0MGf8_dJbPzmaU6WE0ujPH48A6w@mail.gmail.com>
References: <CAGa2bXZytbD1H-Rg5eWfiPwEM0p47JSQH-GC-ZayDSLbmbsGVA@mail.gmail.com>
	<3b115b37-d399-0b69-24b4-de5c95c4a069@gmail.com>
	<CAGa2bXZwRK0GuXbT53B4w+h5ySiVJnJpo-d87Uiw-reYHi80zQ@mail.gmail.com>
	<CANUQDChxOeydBRLPrvuumf+edqJNKV+TOstGz66X_tg+Y7knPQ@mail.gmail.com>
	<CAGa2bXZC8Qp8-Ggyfj5+0X5aiktSX_AyfRdKAPXFZ=x4+A1XDQ@mail.gmail.com>
	<CANUQDCgi-P4=rWA5H+53_BcWyqeWaC_QOADUNMb_jV70KuhEPw@mail.gmail.com>
	<CAL0xaBFTF28h7ZTCkk=gn2=kepv0xe_Gk0+zjhmZzDmLJYU3-w@mail.gmail.com>
	<CAGa2bXbX_YhpJEr+9XjTb3xxgb2KTw=LEjC97A0vM4_WNiSvnA@mail.gmail.com>
	<CAL0xaBF8e7PhY_hqNYwNvxwRiha1=rUtLBfugUNC2FGf2FndzA@mail.gmail.com>
	<CAF+u_ByFOKd+CyCO5yO_2aSYf2GhLrqb6oLHcvKuNF6W7E+YGg@mail.gmail.com>
	<4667bb84-4401-4dd6-6193-fcf3aa6b3d48@gmail.com>
	<CAF+u_BxxZ-xG2cS-C97qx+WNccryd_0xvhgPbvdqfe7F_8mL0g@mail.gmail.com>
	<4d97846f-81d6-6cad-91ad-5e513a709e91@gmail.com>
	<CAF+u_BxnVg+cpeitxR4Lo0Z938fcNGYEDBKLe6XPq8RU3KH9cQ@mail.gmail.com>
	<CAPhkiZxWNtGhD_R=TO4sJF5ToinRxFK+5VhsjeUXsSDK-ts8Xg@mail.gmail.com>
	<573345AF.9020206@lsces.co.uk>
	<CAPhkiZzX+QQmjDP1ES15cji0MGf8_dJbPzmaU6WE0ujPH48A6w@mail.gmail.com>
Date: Wed, 11 May 2016 18:16:56 +0200
X-Gmail-Original-Message-ID: <CANUQDCh+2AY_XnAQRJMc7CNK70g6QUQbiLfHKPAuu5E4_KrT8A@mail.gmail.com>
Message-ID: <CANUQDCh+2AY_XnAQRJMc7CNK70g6QUQbiLfHKPAuu5E4_KrT8A@mail.gmail.com>
To: Andrey Andreev <narf@devilix.net>
Cc: Lester Caine <lester@lsces.co.uk>, "internals@lists.php.net" <internals@lists.php.net>
Content-Type: multipart/alternative; boundary=047d7b86db22e1bb380532935efd
Subject: Re: [PHP-DEV] [RFC DRAFT] Automatic CSRF Protection
From: me@kelunik.com (Niklas Keller)

--047d7b86db22e1bb380532935efd
Content-Type: text/plain; charset=UTF-8

2016-05-11 17:41 GMT+02:00 Andrey Andreev <narf@devilix.net>:

> On Wed, May 11, 2016 at 5:46 PM, Lester Caine <lester@lsces.co.uk> wrote:
>
> > On 11/05/16 14:40, Andrey Andreev wrote:
> > > Therefore, while the session store *after login* is suitable for token
> > > storage, CSRF protection by default just doesn't belong in ext/session.
> >
> > If I am using php simply to 'add detail' to an element of a page that
> > does not require the client to be logged in then I don't see any ned to
> > enable CSRF, but one of the options on that anonymous guest page may
> > well be a login button. Surely a large percentage of php traffic does
> > not need any security, only DoS filtering? UNTIL one is identified one
> > does not need a secure connection? Although I can see that some people
> > would want to ensure that anonymous content was 'secure', but isn't that
> > the job of https?
> >
> >
> Your login form too needs CSRF protection. It's a chicken and egg problem.
>

Not really. As long as you don't have the credentials.
You can't make any requests as the authenticated user, as there is no
authenticated user.

But logout needs it, that's often forgotten.


> A lot could be written on the rest of your comments, but they are not
> relevant to the RFC.
>
> Cheers,
> Andrey.
>

--047d7b86db22e1bb380532935efd--