Feature #47252

Skip CSRF protection and persistence for "safe" request methods

Added by Robert Lemke over 8 years ago. Updated over 8 years ago.

Status:
Resolved
Priority:
Must have
Assignee:
Category:
MVC
Start date:
2013-04-15
Due date:
% Done:

100%

Estimated time:
PHP Version:
5.4
Has patch:
No
Complexity:
medium

Description

By definition, GET / HEAD requests should be considered "safe", that is, they should only be used for retrieval and not have any state side effects on the server side (http://www.w3.org/Protocols/rfc2616/rfc2616-sec9.html).

We should support and enforce this principle by turning off the automatic persistAll() call and skip CSRF protection for GET requests.

In later versions we can further optimize Flow to take advantage of the knowledge that a request is considered to be read-only (possibly speeding up persistence, security etc.).

Also available in: Atom PDF