[Freeipa-devel] IPA Server UI Behind Proxy
Jan Pazdziora
jpazdziora at redhat.com
Tue Sep 3 00:50:13 UTC 2013
On Mon, Sep 02, 2013 at 05:57:16PM +0200, Petr Vobornik wrote:
> >
> >Could we change the CSRF protection method from the Referrer check to
> >some user session specific token?
>
> I don't think we can use the recommended method[1] where CSFR token
> is stored in a requested page(ie in hidden element) because we don't
> generate UI on a server.
>
> The only way to use the token, which I see, is to create CSFR token
> on login and returned it in a cookie.
Does it have to be cookie?
What is the result of a login operation? It seems that at least for
the /ipa/session/login_password call, it is the result of
finalize_kerberos_acquisition which is return [''], and that empty
string is ignored by IPA.login_password's success_handler. Could the
return be the token, and get stored either to IPA.ui.csrf_token or
similar place, or stored to an element in the DOM? You don't really
need to use cookies for that.
--
Jan Pazdziora | adelton at #ipa*, #brno
Principal Software Engineer, Identity Management Engineering, Red Hat
More information about the Freeipa-devel
mailing list