Since a really really long time (since 2012!!!!) CSRF has been commented out and there was no fix until now.
The descriptions says CSRF is implemented and complete! That is simply WRONG and is a security nightmare!!
I implemented the basic CSRF tokens which take the settings from the config.
Maybe the naming of this setting(s) has to be changed because it's not only used in the login form but in all the others except the registration form.
That can be discussed and added later on. For now it would be good if anyone of the maintainer(@EvanDotPro , @weierophinney , @Danielss89 ) could merge and release a new package.
Thanks :)
Since a really really long time (since 2012!!!!) CSRF has been commented out and there was no fix until now. The descriptions says CSRF is implemented and complete! That is simply WRONG and is a security nightmare!!
I implemented the basic CSRF tokens which take the settings from the config. Maybe the naming of this setting(s) has to be changed because it's not only used in the login form but in all the others except the registration form. That can be discussed and added later on. For now it would be good if anyone of the maintainer(@EvanDotPro , @weierophinney , @Danielss89 ) could merge and release a new package. Thanks :)