Welcome to the Question2Answer Q&A. There's also a demo if you just want to try it out.
+3 votes
375 views
in Plugins by

To PHP developers:

I am developing caching plugin for Q2A. I have one big problem about CSRF protection. I changed protection code on all forms on all pages from one time token to same session-ID (PHPSESSID) with Javascript.

My questions:

  1. Do you think this measure is effective against CSRF attack?
  2. Do you know any other effective way?

Thank you for your cooperation.

Q2A version: 1.7
by
I like the idea of caching using mysql.  A lot easier to manage and avoids such limitation.

function unlinkRecursive:  This function will KILL the machine. Needs to simply use wildcard delete using unlink.

I managed to login with no problem.  How are tokens handled, seems to be working fine.
by
Hi @sama55, did you see my comments above. Please reply. I cannot pm you, it is closed.
by
Sorry, steven. In the past, because I had many many direct questions from other users, I am rejecting PM and Wall. Let's conversation in github. Also other my Q2A friends are doing so. And, because I want to manage the individual problem for each thread, please submit your issues to my github.
https://github.com/sama55/q2a-caching/issues
Thanks.
by
Now, I am consulting about this issue with Gideon. Security level would be reduced a little, but likely can achieve better code.

1 Answer

0 votes
by
@sama55, are you talking about security tokens.  Maybe it is not a big deal after all, since only applies to unregistered, and those posts would be moderated in any case.
...