On Sat, 12 Feb 2011 23:38:33 +0100, Philip Iezzi wrote:
> Hi
>
> You were introducing (better) CSRF protection in RC 0.5.1. In RC 0.5
> we were able to provide our own custom login forms (on a different
> domain) for Roundcube. In 0.5.1 those forms no longer work, probably
> due to the missing "_token" POST request param. We're getting
> redirected to the login form right after submitting the login
> credentials.
>
> We provide both "_user" and "_pass" input fields but are not able to
> provide the hidden "_token" field as this token gets generated by RC.
> Example login form that works perfectly under RC 0.5:
> https://my.onlime.ch/index/webmail
>
> Is there any workaround for this in RC 0.5.1? I couldn't find any
> hints about custom login forms in your Wiki.
You could use a plugin (startup hook):
function startup($arg)
{
// in this example outside login form must submit 'ajax=1' to
detect
// a login attempt
if(!empty($_POST['ajax']) && !empty($_POST['_user']) &&
!empty($_POST['_pass'])){
// perhaps some additional checks f.e. HTTP Referer ...
$_POST['_token'] = $_SESSION['request_tokens']['login'];
}
return $args;
}
>
> Thanks!
> Regards, Philip
> _______________________________________________
> List info: http://lists.roundcube.net/dev/
> BT/8d1870bd
_______________________________________________
List info: http://lists.roundcube.net/dev/
BT/8f4f07cd
