22 May
2014
22 May
'14
3:34 p.m.
Am 22.05.2014 15:28, schrieb Rosali:
If it your opinion that the login page has to be CSFR protected then OK. BUT I don't want to have sessions started just for CSFR prevention for ANY code which is executed in not authenticated state
you refuse to understand how CSFR works
- at the first call the server generates a token
- the token is placed in a hidden filed
- before take any action the submitted token is verified against the one from the first request
how do you genius imagine this works without storing the token in a session without start a session at all?
hint: you can't do without