4 1.0.5 released 2014-07-24
8 - In some server environments, IP address was not being detected
9 properly. Thanks Bianka Martinovic for reporting.
11 1.0.4 released 2013-07-17
15 - When secret key was not explicitly set, it was not being used
16 by the csrf_hash() function. Thanks sparticvs for reporting.
20 - The default 'CSRF check failed' page now offers a handy 'Try
21 again' button, which resubmits the form.
25 - The fix for 1.0.3 inadvertantly turned off XMLHttpRequest
26 overloading for all browsers; it has now been fixed to only
29 1.0.3 released 2012-01-31
33 - Internet Explorer 8 adds support for XMLHttpRequest.prototype,
34 but this support is broken for method overloading. We
35 explicitly disable JavaScript overloading for Internet Explorer.
36 Thanks Kelly Lu for reporting. <lubird@gmail.com>
38 - A global declaration was omitted, resulting in a variable
39 not being properly introduced in PHP 5.3. Thanks Whitney Beck for
40 reporting. <whitney.a.beck@gmail.com>
42 1.0.2 released 2009-03-08
46 - Due to a typo, csrf-magic accidentally treated the secret key
47 as always present. This means that there was a possible CSRF
48 attack against users without any cookies. No attacks in the
49 wild were known at the time of this release. Thanks Jakub
52 1.0.1 released 2008-11-02
56 - Support for composite tokens; this also fixes a bug with using
57 IP-based tokens for users with cookies disabled.
59 - Native support cookie tokens; use csrf_conf('cookie', $name) to
60 specify the name of a cookie that the CSRF token should be
61 placed in. This is useful if you have a Squid cache, and need
62 to configure it to ignore this token.
64 - Tips/tricks section in README.txt.
66 - There is now a two hour expiration time on all tokens. This
67 can be modified using csrf_conf('expires', $seconds).
69 - ClickJacking protection using an iframe breaker. Disable with
70 csrf_conf('frame-breaker', false).
74 - CsrfMagic.send() incorrectly submitted GET requests twice,
75 once without the magic token and once with the token. Reported
76 by Kelly Lu <lubird@gmail.com>.