Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Reevaluate and maybe deprecate custom CsrfProvider #3206

Closed
Guite opened this issue Nov 22, 2016 · 5 comments
Closed

Reevaluate and maybe deprecate custom CsrfProvider #3206

Guite opened this issue Nov 22, 2016 · 5 comments
Milestone
3.0.0

Comments

@Guite
Copy link
Member

Guite commented Nov 22, 2016

Review whether a custom csrf token manager is needed. If not, deprecate it.

cc @craigh
@Guite Guite added this to the 1.4.5 milestone Nov 22, 2016
@Guite
Copy link
Member Author

Guite commented Dec 6, 2016
edited
Loading

Our CsrfTokenHandler aims on csrf tokens in GET requests and forms which are not using Symfony forms (yet). So we can get rid of it after 1. all forms use Symfony forms and 2. there are no GET requests anymore changing the state of the system.

From http://security.stackexchange.com/questions/36671/csrf-token-in-get-request

GET requests should also never make state changes to the system,
therefore should not be required to have CSRF protection.
Even logout should not be a GET request for the method
that actually executes the logout (although you could have
a GET link that navigates to another page before
a POST request carries out the action).

@Guite
Copy link
Member Author

Guite commented Dec 6, 2016

I propose that we deprecate it now and trigger deprecation errors to find and eliminate it's usages.
@craigh ?

@Guite
Copy link
Member Author

Guite commented Dec 13, 2016

Also lib/Zikula/Core/Token/* seems to become deprecated in the same step.

@Guite Guite modified the milestones: 1.4.5, 1.4.6, 1.4.7 Dec 23, 2016
@Guite Guite mentioned this issue Feb 19, 2017
Merged
This was referenced Mar 30, 2017
Closed
Closed
@craigh craigh removed Task labels Apr 2, 2017
@Guite Guite modified the milestones: 1.5.0, 2.1.0 Jun 19, 2017
@Guite
Copy link
Member Author

Guite commented Nov 15, 2017

Probably our CsrfTokenHandler can be replaced by http://symfony.com/doc/current/controller/csrf_token_validation.html

@Guite
Copy link
Member Author

Guite commented Mar 29, 2018

See also https://stackoverflow.com/questions/12054449/symfony-csrf-and-ajax

@Guite Guite modified the milestones: 2.1.0, 3.0.0 Nov 2, 2018
@Guite Guite closed this as completed in 64ea5cc Mar 19, 2019
craigh added a commit that referenced this issue Nov 25, 2019
@craigh
correct regression refs 64ea5cc and #3206
c6ccfc9
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
3.0.0
Development

No branches or pull requests
2 participants
@Guite @craigh