On Mon, Sep 02, 2013 at 05:57:16PM +0200, Petr Vobornik wrote: > > > >Could we change the CSRF protection method from the Referrer check to > >some user session specific token? > > I don't think we can use the recommended method[1] where CSFR token > is stored in a requested page(ie in hidden element) because we don't > generate UI on a server. > > The only way to use the token, which I see, is to create CSFR token > on login and returned it in a cookie.
Does it have to be cookie? What is the result of a login operation? It seems that at least for the /ipa/session/login_password call, it is the result of finalize_kerberos_acquisition which is return [''], and that empty string is ignored by IPA.login_password's success_handler. Could the return be the token, and get stored either to IPA.ui.csrf_token or similar place, or stored to an element in the DOM? You don't really need to use cookies for that. -- Jan Pazdziora | adelton at #ipa*, #brno Principal Software Engineer, Identity Management Engineering, Red Hat _______________________________________________ Freeipa-devel mailing list [email protected] https://www.redhat.com/mailman/listinfo/freeipa-devel
