> From my read, exposing session_id is discouraged in general. One could hash the session_id with form name, but that is still not optimal. The best security is a 'nonce' (hash that occurs only once) using timestamp, saving it to form and session and checking it if form submitted. I believe that is what qa is doing with the provided functions already.
Yes. I agree. However, since one time token in the form is also cached, I thought we can not use it. This change has begun from Yerbol's report below.
But, in my environment, this issue do not occur. I investigated CSRF protection logic again. As result, I thought changes about CSRF protection logic in caching plugin is not needed basically. However, we might be necessary to correct cached time stamp.
How do you think about it?