On Mon, Sep 02, 2013 at 05:57:16PM +0200, Petr Vobornik wrote:
> >
> >Could we change the CSRF protection method from the Referrer check to
> >some user session specific token?
> I don't think we can use the recommended method[1] where CSFR token
> is stored in a requested page(ie in hidden element) because we don't
> generate UI on a server.
> The only way to use the token, which I see, is to create CSFR token
> on login and returned it in a cookie.

Does it have to be cookie?

What is the result of a login operation? It seems that at least for
the /ipa/session/login_password call, it is the result of
finalize_kerberos_acquisition which is return [''], and that empty
string is ignored by IPA.login_password's success_handler. Could the
return be the token, and get stored either to IPA.ui.csrf_token or
similar place, or stored to an element in the DOM? You don't really
need to use cookies for that.

Jan Pazdziora | adelton at #ipa*, #brno
Principal Software Engineer, Identity Management Engineering, Red Hat

Freeipa-devel mailing list

Reply via email to