Am 14.02.2011 um 10:50 schrieb Thomas Bruederli: > Philip Iezzi wrote: >> Hi >> >> You were introducing (better) CSRF protection in RC 0.5.1. In RC 0.5 we were >> able to provide our own custom login forms (on a different domain) for >> Roundcube. In 0.5.1 those forms no longer work, probably due to the missing >> "_token" POST request param. We're getting redirected to the login form >> right after submitting the login credentials. >> >> We provide both "_user" and "_pass" input fields but are not able to provide >> the hidden "_token" field as this token gets generated by RC. >> Example login form that works perfectly under RC 0.5: >> https://my.onlime.ch/index/webmail >> >> Is there any workaround for this in RC 0.5.1? I couldn't find any hints >> about custom login forms in your Wiki. > > You have to create a small plugin which hooks into the 'authenticate' hook > and set the 'valid' field to true. See > http://trac.roundcube.net/wiki/Plugin_Hooks#authenticate > > To keep CSFR protection you could do some additional checks (e.g. Referer > check) to check the origin of the login request before setting 'valid' to > true. > > Regards, > Thomas
Hi Thomas & Roland Thanks a lot for your solution that works perfectly for me. Could you please consider to integrate such a plugin in future versions of RC? I've attached my plugin "onlime_custom_login" for anybody else who runs into this problem in RC 0.5.1 Regards, Philip --- 8< --- detachments --- 8< --- The following attachments have been detached and are available for viewing. http://detached.gigo.com/rc/cJ/5CGBnChk/config.inc.php.dist http://detached.gigo.com/rc/cJ/5CGBnChk/onlime_custom_login.php Only click these links if you trust the sender, as well as this message. --- 8< --- detachments --- 8< ---
_______________________________________________ List info: http://lists.roundcube.net/dev/ BT/8f4f07cd
