CSRF solution about qa-caching plugin is safety?

Question

To PHP developers:

I am developing caching plugin for Q2A. I have one big problem about CSRF protection. I changed protection code on all forms on all pages from one time token to same session-ID (PHPSESSID) with Javascript.

My questions:

1. Do you think this measure is effective against CSRF attack?
2. Do you know any other effective way?

Thank you for your cooperation.

Comments

I like the idea of caching using mysql.  A lot easier to manage and avoids such limitation.

function unlinkRecursive:  This function will KILL the machine. Needs to simply use wildcard delete using unlink.

I managed to login with no problem.  How are tokens handled, seems to be working fine.

---

Hi @sama55, did you see my comments above. Please reply. I cannot pm you, it is closed.

---

Sorry, steven. In the past, because I had many many direct questions from other users, I am rejecting PM and Wall. Let's conversation in github. Also other my Q2A friends are doing so. And, because I want to manage the individual problem for each thread, please submit your issues to my github.
https://github.com/sama55/q2a-caching/issues
Thanks.

---

Now, I am consulting about this issue with Gideon. Security level would be reduced a little, but likely can achieve better code.

Answer 1

@sama55, are you talking about security tokens.  Maybe it is not a big deal after all, since only applies to unregistered, and those posts would be moderated in any case.