2016-05-11 17:41 GMT+02:00 Andrey Andreev <n...@devilix.net>: > On Wed, May 11, 2016 at 5:46 PM, Lester Caine <les...@lsces.co.uk> wrote: > > > On 11/05/16 14:40, Andrey Andreev wrote: > > > Therefore, while the session store *after login* is suitable for token > > > storage, CSRF protection by default just doesn't belong in ext/session. > > > > If I am using php simply to 'add detail' to an element of a page that > > does not require the client to be logged in then I don't see any ned to > > enable CSRF, but one of the options on that anonymous guest page may > > well be a login button. Surely a large percentage of php traffic does > > not need any security, only DoS filtering? UNTIL one is identified one > > does not need a secure connection? Although I can see that some people > > would want to ensure that anonymous content was 'secure', but isn't that > > the job of https? > > > > > Your login form too needs CSRF protection. It's a chicken and egg problem. >
Not really. As long as you don't have the credentials. You can't make any requests as the authenticated user, as there is no authenticated user. But logout needs it, that's often forgotten. > A lot could be written on the rest of your comments, but they are not > relevant to the RFC. > > Cheers, > Andrey. >
