[Freeipa-devel] IPA Server UI Behind Proxy

Simo Sorce simo at redhat.com
Mon Sep 2 12:38:51 UTC 2013


On Mon, 2013-09-02 at 14:31 +0800, Jan Pazdziora wrote:
> On Thu, Aug 15, 2013 at 04:27:53PM +0200, Petr Viktorin wrote:
> > 
> > >Alternatively, how essential is this requirement for the referer
> > >header -- couldn't it be dropped, maybe via some config option?
> > 
> > Without it, a malicious link/button on any webpage (or e-mail) could
> > do any action in IPA, if clicked by a logged-in admin.
> 
> Could we change the CSRF protection method from the Referrer check to
> some user session specific token?

Where do you store it on the client side ?

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York




More information about the Freeipa-devel mailing list