4 1.0.5 released 2014-07-24
8 - In some server environments, IP address was not being detected
9 properly. Thanks Bianka Martinovic for reporting.
13 - Hashing now uses an HMAC to prevent length extension attacks.
15 1.0.4 released 2013-07-17
19 - When secret key was not explicitly set, it was not being used
20 by the csrf_hash() function. Thanks sparticvs for reporting.
24 - The default 'CSRF check failed' page now offers a handy 'Try
25 again' button, which resubmits the form.
29 - The fix for 1.0.3 inadvertantly turned off XMLHttpRequest
30 overloading for all browsers; it has now been fixed to only
33 1.0.3 released 2012-01-31
37 - Internet Explorer 8 adds support for XMLHttpRequest.prototype,
38 but this support is broken for method overloading. We
39 explicitly disable JavaScript overloading for Internet Explorer.
40 Thanks Kelly Lu for reporting. <lubird@gmail.com>
42 - A global declaration was omitted, resulting in a variable
43 not being properly introduced in PHP 5.3. Thanks Whitney Beck for
44 reporting. <whitney.a.beck@gmail.com>
46 1.0.2 released 2009-03-08
50 - Due to a typo, csrf-magic accidentally treated the secret key
51 as always present. This means that there was a possible CSRF
52 attack against users without any cookies. No attacks in the
53 wild were known at the time of this release. Thanks Jakub
56 1.0.1 released 2008-11-02
60 - Support for composite tokens; this also fixes a bug with using
61 IP-based tokens for users with cookies disabled.
63 - Native support cookie tokens; use csrf_conf('cookie', $name) to
64 specify the name of a cookie that the CSRF token should be
65 placed in. This is useful if you have a Squid cache, and need
66 to configure it to ignore this token.
68 - Tips/tricks section in README.txt.
70 - There is now a two hour expiration time on all tokens. This
71 can be modified using csrf_conf('expires', $seconds).
73 - ClickJacking protection using an iframe breaker. Disable with
74 csrf_conf('frame-breaker', false).
78 - CsrfMagic.send() incorrectly submitted GET requests twice,
79 once without the magic token and once with the token. Reported
80 by Kelly Lu <lubird@gmail.com>.