Project

General

Profile

Actions

Feature #25362

closed

option to disable csrf completely

Added by Jonas Felix over 13 years ago. Updated over 13 years ago.

Status:
Rejected
Priority:
Should have
Assignee:
-
Category:
-
Target version:
-
Start date:
2011-03-21
Due date:
% Done:

0%

Estimated time:
PHP Version:
5.2
Tags:
Complexity:
Sprint Focus:

Description

CSRF leads on productive systems with a lot of regular users to a lot of errors and frustration.

As long as it is not 100% teste and productively usable, it needs a disable function. Of course the basic idea is great, but because it leads to a lot of false positives (errors even if everything is right...) we have to be able to disable it in productive systems.

We'll make a patch-XCLASS extension to have a quick-fix.

> It's great to bring innovation but please fix the existing things and then innovate, don't add stuff to stuff that is not working yet :(
(issue imported from #M17995)

Actions #1

Updated by Georg Ringer over 13 years ago

i doubt that will happen. the effort will more likely to be used to fix any open bugs. furthermore bug reports containing "what doesn't work" are more helpful

Actions #2

Updated by Jonas Felix over 13 years ago

Hi Georg

We'll add the option with a own extension for our projects, if somebody needs it please ask. I just mentioned it because I know a lot of users have issues with the global csrf.

Main Problem:
-> Tokens invalid for regular users doing regular TYPO3 administration.

There are several places with several different problems, so this is just a workaround for all of them...

One main issue: If your backend session is in example 3 hours (as wished by the cutsomer - he is boss at the end...) the token still expires within a shorter time. Typical user is going to get a coffee for 1-2 hours comes back and get's incomprehensible security token messages...

Tizian, Dimitri and Nils are working on several Updates of bigger systems and have expirienced similar problems in different areas of TYPO3...

It's a great technology, but to make the users happy, we make a 'just ignore' option :-) Because we can't tell the customer "wait till it's fixed" everywhere... We by the way are fixing several 4.5.2 bugs at the moment...

Actions #3

Updated by Georg Ringer over 13 years ago

doing it in an extension is fine, it just won't happen within the core

Actions #4

Updated by Jonas Felix over 13 years ago

Of course, if not to many companies have the problem ;-)

Actions #5

Updated by Steffen Kamper over 13 years ago

we are still improving CSRF - there should be no problems remain, so i see no need for disable, let it be secure ;)

Actions #6

Updated by Steffen Gebert over 13 years ago

I'm also strongly against a switch. Hopefully, it gets really stable soon. It should not have been added so late during development to allow more intense testing.

Actions #7

Updated by Steffen Gebert over 13 years ago

  • Status changed from New to Rejected
  • Target version deleted (0)
Actions

Also available in: Atom PDF