Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:93258
Return-Path: <pierre.php@gmail.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 17001 invoked from network); 12 May 2016 01:53:28 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 12 May 2016 01:53:28 -0000
Authentication-Results: pb1.pair.com smtp.mail=pierre.php@gmail.com; spf=pass; sender-id=pass
Authentication-Results: pb1.pair.com header.from=pierre.php@gmail.com; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.218.54 as permitted sender)
X-PHP-List-Original-Sender: pierre.php@gmail.com
X-Host-Fingerprint: 209.85.218.54 mail-oi0-f54.google.com  
Received: from [209.85.218.54] ([209.85.218.54:34620] helo=mail-oi0-f54.google.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id 22/F5-28272-612E3375 for <internals@lists.php.net>; Wed, 11 May 2016 21:53:27 -0400
Received: by mail-oi0-f54.google.com with SMTP id k142so97679115oib.1
        for <internals@lists.php.net>; Wed, 11 May 2016 18:53:26 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20120113;
        h=mime-version:in-reply-to:references:date:message-id:subject:from:to
         :cc;
        bh=mbTAEKheMC6I6xfw77Q+JfOjDTXXqaejCGzyT6QQLZc=;
        b=O26siTE8sWtrrr0AvmRqiN9yucUExPBSe4l4lqbn3hoXtpZwYCDgIbyOBgAQRKlU/U
         4TAiwIcu/qG65fZMtRLyYqniT0dZRwYuurcJ3CE+XpyNuL/rwWT/bIw2rVvO6B4rUruP
         pcPYjZQi4mMdOOgqhscovhZqZFbWk3JFDrTK6ciKVeqsFpO5JTxOUJAQmSNl6RG4/qey
         c9JMdq0N3/W2RnbYSXB14kE2LFjLKbfMG3cXF89Yh3Bb70PyDJ5loWAkLzZdm2wHFq1w
         hEJ6eRpftv7kaXyDGSBBjF6Nk3CZT25zF1K/1OThd/Ds7KLSOeZYIPQwvDyiyr8D3/aN
         If4w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20130820;
        h=x-gm-message-state:mime-version:in-reply-to:references:date
         :message-id:subject:from:to:cc;
        bh=mbTAEKheMC6I6xfw77Q+JfOjDTXXqaejCGzyT6QQLZc=;
        b=BwHlZY1PwlaJpsodozZB5uduZS/0Mp4bdLsT+h4UD+ajvocIfcPCuNmDxDHhPwzL/A
         eZPO7EFdDEx9/9iYelMKhz7vo6td5e865aPCr/9wSXL9bkBsWJknKpph83+Wke86epRn
         cACg8v2q4h7PuGGKTzlFPRZoZK7n1FBgXxyfu4BxyLy3ccWtmvLAXX5l6Mn+/nBk40zN
         YJSBXxddZOciAWyohI2H2rc2AvPzps1VnM0+tMt8ZDpCIk1eMAEFLzeIlOQ3ODIm8KQJ
         bupG1eJLETYqu9GakHCY1bvq8W/ZyZrU7vBr+/ftJtdkNMnlarbcm5BN3cHJemoyNPas
         zjdA==
X-Gm-Message-State: AOPr4FXBCIkG9r9xQDKUPMj1heuLdFnPcfIBm+tEAJqRPUr7NhHjlOkhpcBYSPPcz6C0nLIws333q9KwhLjwFQ==
MIME-Version: 1.0
X-Received: by 10.157.6.166 with SMTP id 35mr3571279otx.181.1463018004032;
 Wed, 11 May 2016 18:53:24 -0700 (PDT)
Received: by 10.202.215.193 with HTTP; Wed, 11 May 2016 18:53:23 -0700 (PDT)
In-Reply-To: <CAGa2bXa8B+4vuOiWNSt79gcSvyr2aAKv_VEbigiKTVsuaZT89g@mail.gmail.com>
References: <CAGa2bXZytbD1H-Rg5eWfiPwEM0p47JSQH-GC-ZayDSLbmbsGVA@mail.gmail.com>
	<c21d1d4b-a790-e1a9-7c93-2c5af4baf5d1@gmail.com>
	<CAGa2bXboop3KDFnYtcdO-K+hL0To5te_yeHeFEFO-kCVuzNOJQ@mail.gmail.com>
	<3b115b37-d399-0b69-24b4-de5c95c4a069@gmail.com>
	<CAGa2bXZwRK0GuXbT53B4w+h5ySiVJnJpo-d87Uiw-reYHi80zQ@mail.gmail.com>
	<CANUQDChxOeydBRLPrvuumf+edqJNKV+TOstGz66X_tg+Y7knPQ@mail.gmail.com>
	<CAGa2bXZC8Qp8-Ggyfj5+0X5aiktSX_AyfRdKAPXFZ=x4+A1XDQ@mail.gmail.com>
	<CANUQDCgi-P4=rWA5H+53_BcWyqeWaC_QOADUNMb_jV70KuhEPw@mail.gmail.com>
	<CAL0xaBFTF28h7ZTCkk=gn2=kepv0xe_Gk0+zjhmZzDmLJYU3-w@mail.gmail.com>
	<CAGa2bXbX_YhpJEr+9XjTb3xxgb2KTw=LEjC97A0vM4_WNiSvnA@mail.gmail.com>
	<CAL0xaBF8e7PhY_hqNYwNvxwRiha1=rUtLBfugUNC2FGf2FndzA@mail.gmail.com>
	<CAGa2bXa8B+4vuOiWNSt79gcSvyr2aAKv_VEbigiKTVsuaZT89g@mail.gmail.com>
Date: Thu, 12 May 2016 08:53:23 +0700
Message-ID: <CAEZPtU7SW+yDmv_uNr_YB3MeVq_saiySaDZpF2jTOQqBzbw9Mg@mail.gmail.com>
To: Yasuo Ohgaki <yohgaki@ohgaki.net>
Cc: Arvids Godjuks <arvids.godjuks@gmail.com>, Niklas Keller <me@kelunik.com>, 
	Stanislav Malyshev <smalyshev@gmail.com>, "internals@lists.php.net" <internals@lists.php.net>
Content-Type: text/plain; charset=UTF-8
Subject: Re: [PHP-DEV] [RFC DRAFT] Automatic CSRF Protection
From: pierre.php@gmail.com (Pierre Joye)

On Thu, May 12, 2016 at 4:13 AM, Yasuo Ohgaki <yohgaki@ohgaki.net> wrote:
> Hi Arvids,

> I don't force, but CSRF protection is optional. If you don't need it,
> don't use simply.

You actually do by using ini settings for that, or potentially force it.

Now the main issue is not about whether or not csrf is a good thing,
we all agree on that. In my opinion the questions are:

1. do we want csrf features in core?

I do not think it should. But if we decide it should then the way it
is proposed is sub optimal. CSRF usage depends strongly on the
application or request type, TTL and other behaviors as well. That
being said, that means the use of INI settings and global SESSION
array is wrong. It must be a public API.

2. if yes, does it have to be part of the session extension?

My answer is clearly no. We must rather simplified improved the
session implementations and APIs, focusing purely on its core
purposes, managing session data storage and provides interfaces&APIs
to match application needs. We do not do that very well anymore.

I will leave this thread for now as I will going to repeat myself more
than you wish, I think we made our points clear :)

Cheers,
-- 
Pierre

@pierrejoye | http://www.libgd.org