Am 22.05.2014 15:28, schrieb Rosali: > If it your opinion that the login page has to be CSFR protected then OK. > BUT I don't want to have sessions started just for CSFR prevention for ANY > code which is executed in not authenticated state
you refuse to understand how CSFR works * at the first call the server generates a token * the token is placed in a hidden filed * before take any action the submitted token is verified against the one from the first request how do you genius imagine this works without storing the token in a session without start a session at all? hint: you can't do without
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Roundcube Development discussion mailing list [email protected] http://lists.roundcube.net/mailman/listinfo/dev
