Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:93248 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 87645 invoked from network); 11 May 2016 19:27:42 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 11 May 2016 19:27:42 -0000 Authentication-Results: pb1.pair.com smtp.mail=lester@lsces.co.uk; spf=permerror; sender-id=unknown Authentication-Results: pb1.pair.com header.from=lester@lsces.co.uk; sender-id=unknown Received-SPF: error (pb1.pair.com: domain lsces.co.uk from 217.147.176.214 cause and error) X-PHP-List-Original-Sender: lester@lsces.co.uk X-Host-Fingerprint: 217.147.176.214 mail4-2.serversure.net Linux 2.6 Received: from [217.147.176.214] ([217.147.176.214:33212] helo=mail4.serversure.net) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 29/11-28272-CA783375 for ; Wed, 11 May 2016 15:27:41 -0400 Received: (qmail 11982 invoked by uid 89); 11 May 2016 19:27:38 -0000 Received: by simscan 1.3.1 ppid: 11974, pid: 11978, t: 0.0846s scanners: attach: 1.3.1 clamav: 0.96/m:52/d:10677 Received: from unknown (HELO ?10.0.0.7?) (lester@rainbowdigitalmedia.org.uk@81.138.11.136) by mail4.serversure.net with ESMTPA; 11 May 2016 19:27:38 -0000 To: PHP internals References: <4667bb84-4401-4dd6-6193-fcf3aa6b3d48@gmail.com> <4d97846f-81d6-6cad-91ad-5e513a709e91@gmail.com> <573345AF.9020206@lsces.co.uk> Message-ID: <573387A9.1000303@lsces.co.uk> Date: Wed, 11 May 2016 20:27:37 +0100 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Thunderbird/38.7.0 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit Subject: Re: [PHP-DEV] [RFC DRAFT] Automatic CSRF Protection From: lester@lsces.co.uk (Lester Caine) Post from tablet seems to have gone missing ... On 11/05/16 16:41, Andrey Andreev wrote: > On Wed, May 11, 2016 at 5:46 PM, Lester Caine wrote: > >> On 11/05/16 14:40, Andrey Andreev wrote: >>> Therefore, while the session store *after login* is suitable for token >>> storage, CSRF protection by default just doesn't belong in ext/session. >> >> If I am using php simply to 'add detail' to an element of a page that >> does not require the client to be logged in then I don't see any ned to >> enable CSRF, but one of the options on that anonymous guest page may >> well be a login button. Surely a large percentage of php traffic does >> not need any security, only DoS filtering? UNTIL one is identified one >> does not need a secure connection? Although I can see that some people >> would want to ensure that anonymous content was 'secure', but isn't that >> the job of https? >> > Your login form too needs CSRF protection. It's a chicken and egg problem. Most of my sites have the login button hidden in the general content so people can access the back office system from anywhere. THAT takes you to the login page. > A lot could be written on the rest of your comments, but they are not > relevant to the RFC. 'Automatic CSRF Protection' is again just part of a bigger problem. One thing which has changed in recent months is the availability of free https certificates, the one thing that has up until now blocked a more general switch TO https? But again, I don't see that this proposal makes any sense when all the frameworks I've seen already have their own managed csrf systems ... and enforce https links when using them? -- Lester Caine - G8HFL ----------------------------- Contact - http://lsces.co.uk/wiki/?page=contact L.S.Caine Electronic Services - http://lsces.co.uk EnquirySolve - http://enquirysolve.com/ Model Engineers Digital Workshop - http://medw.co.uk Rainbow Digital Media - http://rainbowdigitalmedia.co.uk