Am 22.05.2014 15:28, schrieb Rosali:
If it your opinion that the login page has to be CSFR protected then OK. BUT I don't want to have sessions started just for CSFR prevention for ANY code which is executed in not authenticated state
you refuse to understand how CSFR works
how do you genius imagine this works without storing the token in a session without start a session at all?
hint: you can't do without