Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:93262 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 42011 invoked from network); 12 May 2016 09:27:14 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 12 May 2016 09:27:14 -0000 Authentication-Results: pb1.pair.com header.from=lester@lsces.co.uk; sender-id=unknown Authentication-Results: pb1.pair.com smtp.mail=lester@lsces.co.uk; spf=permerror; sender-id=unknown Received-SPF: error (pb1.pair.com: domain lsces.co.uk from 217.147.176.214 cause and error) X-PHP-List-Original-Sender: lester@lsces.co.uk X-Host-Fingerprint: 217.147.176.214 mail4-2.serversure.net Linux 2.6 Received: from [217.147.176.214] ([217.147.176.214:33670] helo=mail4.serversure.net) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id D4/E8-28272-F6C44375 for ; Thu, 12 May 2016 05:27:13 -0400 Received: (qmail 4468 invoked by uid 89); 12 May 2016 09:27:09 -0000 Received: by simscan 1.3.1 ppid: 4462, pid: 4465, t: 0.0858s scanners: attach: 1.3.1 clamav: 0.96/m:52/d:10677 Received: from unknown (HELO ?10.0.0.7?) (lester@rainbowdigitalmedia.org.uk@81.138.11.136) by mail4.serversure.net with ESMTPA; 12 May 2016 09:27:09 -0000 To: internals@lists.php.net References: <3b115b37-d399-0b69-24b4-de5c95c4a069@gmail.com> Message-ID: <57344C6C.2060707@lsces.co.uk> Date: Thu, 12 May 2016 10:27:08 +0100 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Thunderbird/38.7.0 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit Subject: Re: [PHP-DEV] [RFC DRAFT] Automatic CSRF Protection From: lester@lsces.co.uk (Lester Caine) On 12/05/16 04:19, Yasuo Ohgaki wrote: > It could be an option that abandon session module and let users to > implement decent session manager because we are taking too long time > even for mandatory things even if there are implementations. It is > simply taking too long time to fix them. I'm half joking, but half > serious :) Yasuo ... THIS is the situation with a number of elements of PHP, and I DO understand where you are coming from. PHP is nicely modular and so creating a complete module ... well documented ... clean API ... makes perfect sense. Getting acceptance may be a different matter, such as switching from mysql to mysqli, but it does provide a document-able upgrade path for the problem in hand. I'm the first to admit I rely on the simple options so still use anonymous session for the majority of users simply because they are never going to log in, while I conciser and authenticated user as a different animal so needs a different type of security. That is the main reason I posted the 'off topic' bits earlier in this thread. It IS a matter of what is the ideal set-up for the vast majority of PHP users who can justify laying out lots of money for the best chargeable security, and there is now at least a path that can be documented to help them which includes https, sessions and authentication? -- Lester Caine - G8HFL ----------------------------- Contact - http://lsces.co.uk/wiki/?page=contact L.S.Caine Electronic Services - http://lsces.co.uk EnquirySolve - http://enquirysolve.com/ Model Engineers Digital Workshop - http://medw.co.uk Rainbow Digital Media - http://rainbowdigitalmedia.co.uk