Philip Iezzi wrote: > Hi > > You were introducing (better) CSRF protection in RC 0.5.1. In RC 0.5 we were > able to provide our own custom login forms (on a different domain) for > Roundcube. In 0.5.1 those forms no longer work, probably due to the missing > "_token" POST request param. We're getting redirected to the login form right > after submitting the login credentials. > > We provide both "_user" and "_pass" input fields but are not able to provide > the hidden "_token" field as this token gets generated by RC. > Example login form that works perfectly under RC 0.5: > https://my.onlime.ch/index/webmail > > Is there any workaround for this in RC 0.5.1? I couldn't find any hints about > custom login forms in your Wiki.
You have to create a small plugin which hooks into the 'authenticate' hook and set the 'valid' field to true. See http://trac.roundcube.net/wiki/Plugin_Hooks#authenticate To keep CSFR protection you could do some additional checks (e.g. Referer check) to check the origin of the login request before setting 'valid' to true. Regards, Thomas _______________________________________________ List info: http://lists.roundcube.net/dev/ BT/8f4f07cd
