Yii Framework Forum: CSRF / cookie protection turned on by default - Yii Framework Forum

Jump to content

Page 1 of 1
  • You cannot start a new topic
  • You cannot reply to this topic

CSRF / cookie protection turned on by default

#1 User is offline   phpnode 

  • Standard Member
  • PipPip
  • Yii
  • Group: Members
  • Posts: 141
  • Joined: 18-April 11

Posted 31 March 2012 - 03:05 PM

I think that in 2.0 we should enable CSRF token and cookie validation by default, so that the framework is more secure out of the box. We should also make it easier to turn off CSRF validation for certain controllers and actions.
4

#2 User is offline   Roman Solomatin 

  • Standard Member
  • PipPip
  • Yii
  • Group: Members
  • Posts: 182
  • Joined: 21-October 10
  • Location:Tallinn, Estonia

Posted 17 April 2012 - 09:36 PM

View Postphpnode, on 31 March 2012 - 03:05 PM, said:

I think that in 2.0 we should enable CSRF token and cookie validation by default, so that the framework is more secure out of the box. ...


I think it should be like it is, not every application needs this extra security.

View Postphpnode, on 31 March 2012 - 03:05 PM, said:

... We should also make it easier to turn off CSRF validation for certain controllers and actions.


I really like this idea! Turning CSRF validation on or off based on what controller or action you use would be neat.
For example, you have CSRF validation turned on for controllers that are used by users, but turned off for Soap requests
by remote applications.
0

#3 User is offline   phpnode 

  • Standard Member
  • PipPip
  • Yii
  • Group: Members
  • Posts: 141
  • Joined: 18-April 11

Posted 18 April 2012 - 02:28 AM

There is absolutely no reason to allow csrf on any site, its better to be secure by default
0

Share this topic:


Page 1 of 1
  • You cannot start a new topic
  • You cannot reply to this topic

1 User(s) are reading this topic
0 members, 1 guests, 0 anonymous users