rfc:automatic_csrf_protection

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
rfc:automatic_csrf_protection [2016/05/19 03:43]
yohgaki
rfc:automatic_csrf_protection [2017/09/22 13:28] (current)
Line 307: Line 307:
  
   * Since users may enable/​disable CSRF protection, pages that accept requests must enable CSRF protection. Otherwise, protection will not work. i.e. This feature is not fool proof.   * Since users may enable/​disable CSRF protection, pages that accept requests must enable CSRF protection. Otherwise, protection will not work. i.e. This feature is not fool proof.
-  * Since CSRF protections adds CSRF protection token to all applicable URLs, pages that have both private URL and public URL cannot use automatic CSRF protection.+  * Since GET CSRF protections adds CSRF protection token to all applicable URLs, pages that have both private URL and public URL cannot use automatic ​GET CSRF protection.
   * CSRF token in URLs has the same risk as Trans SID. (CSRF token in URL is not recommended)   * CSRF token in URLs has the same risk as Trans SID. (CSRF token in URL is not recommended)
   * POST/GET must have a element to be validated. If you need to validate empty POST/GET or any other special inputs, use session_csrf_validate() manually. It returns SESSION_CSRF_DISABLED for empty array.   * POST/GET must have a element to be validated. If you need to validate empty POST/GET or any other special inputs, use session_csrf_validate() manually. It returns SESSION_CSRF_DISABLED for empty array.
rfc/automatic_csrf_protection.txt · Last modified: 2017/09/22 13:28 (external edit)