I'm definitely not the expert, and take a phpBB security developer response over mine any day.
But for what it's worth, the interpretation I have is that using the session ID in the form check for non-logged-on sessions makes it nearly impossible (instead of just "hard") for someone to script an HTTP POST request to attempt submitting the form without actually having visited the site & received the form from phpBB. (e.g. If you were trying to brute force a login, submit fake "I forgot my password" requests for multiple users, give fake votes in a poll that is accessible to not-logged-on users, etc.) i.e. To submit the form without giving phpBB the opportunity to deny providing you with the form, or for phpBB to change the form to include additional requirements.
Without the session ID included, it's still "hard" to do that, but with the session ID included its even more difficult. What I can't answer is how much benefit specifically the login form gets from this change, since there are additional things protecting the login form such as the fact that captcha countermeasures can be enabled after a certain number of failed logins.
I also can't answer what specifically led to making this change in phpBB 3.2.6, because there are no public details on what led to the "[SECURITY-228] - Require form token in login_box
" issue addressed in phpBB 3.2.6.
So my characterization of why the "Tie forms to guest sessions"
setting exists at all is that we were already "pretty safe" even without the session ID being included in the form key used for not-logged-on users. The intention was to "harden" and "become even more safe" by including the session ID in that form key.
As mentioned earlier, "Tie forms to guest sessions: Yes"
has been the default in phpBB "forever", and the only thing that changed recently is that the form key check started being used in the login form, too. (And login, by definition, has always been a not-logged-on or "guest" user situation.) But whether it was just "general hardening" which led to the "[SECURITY-228] - Require form token in login_box"
changes, or actually "in response to a specific issue or observation", I do not know.
We are losing some
, but not all
, of that security fix by setting "Tie forms to guest sessions: No"
. Because even without the session ID being included, there are still other components of the form key hash that are difficult to replicate without receiving the form from the phpBB server.
That form key hash is still being checked on the login forms starting in phpBB 3.2.6 and later, even when configured for "Tie forms to guest sessions: No"
. Leaving the session ID included in that hash would have simply made it "even more difficult" to "fake" one of those forms, same as it always has for any form even prior to phpBB 3.2.6.