On Wed, May 11, 2016 at 5:46 PM, Lester Caine <les...@lsces.co.uk> wrote:
> On 11/05/16 14:40, Andrey Andreev wrote: > > Therefore, while the session store *after login* is suitable for token > > storage, CSRF protection by default just doesn't belong in ext/session. > > If I am using php simply to 'add detail' to an element of a page that > does not require the client to be logged in then I don't see any ned to > enable CSRF, but one of the options on that anonymous guest page may > well be a login button. Surely a large percentage of php traffic does > not need any security, only DoS filtering? UNTIL one is identified one > does not need a secure connection? Although I can see that some people > would want to ensure that anonymous content was 'secure', but isn't that > the job of https? > > Your login form too needs CSRF protection. It's a chicken and egg problem. A lot could be written on the rest of your comments, but they are not relevant to the RFC. Cheers, Andrey.