TYPO3 Core

i doubt that will happen. the effort will more likely to be used to fix any open bugs. furthermore bug reports containing "what doesn't work" are more helpful

Hi Georg

We'll add the option with a own extension for our projects, if somebody needs it please ask. I just mentioned it because I know a lot of users have issues with the global csrf.

Main Problem:
-> Tokens invalid for regular users doing regular TYPO3 administration.

There are several places with several different problems, so this is just a workaround for all of them...

One main issue: If your backend session is in example 3 hours (as wished by the cutsomer - he is boss at the end...) the token still expires within a shorter time. Typical user is going to get a coffee for 1-2 hours comes back and get's incomprehensible security token messages...

Tizian, Dimitri and Nils are working on several Updates of bigger systems and have expirienced similar problems in different areas of TYPO3...

It's a great technology, but to make the users happy, we make a 'just ignore' option :-) Because we can't tell the customer "wait till it's fixed" everywhere... We by the way are fixing several 4.5.2 bugs at the moment...

doing it in an extension is fine, it just won't happen within the core

Of course, if not to many companies have the problem ;-)

we are still improving CSRF - there should be no problems remain, so i see no need for disable, let it be secure ;)

I'm also strongly against a switch. Hopefully, it gets really stable soon. It should not have been added so late during development to allow more intense testing.