On Mon, Sep 02, 2013 at 05:57:16PM +0200, Petr Vobornik wrote:
> >Could we change the CSRF protection method from the Referrer check to
> >some user session specific token?
> I don't think we can use the recommended method where CSFR token
> is stored in a requested page(ie in hidden element) because we don't
> generate UI on a server.
> The only way to use the token, which I see, is to create CSFR token
> on login and returned it in a cookie.
Does it have to be cookie?
What is the result of a login operation? It seems that at least for
the /ipa/session/login_password call, it is the result of
finalize_kerberos_acquisition which is return [''], and that empty
string is ignored by IPA.login_password's success_handler. Could the
return be the token, and get stored either to IPA.ui.csrf_token or
similar place, or stored to an element in the DOM? You don't really
Jan Pazdziora | adelton at #ipa*, #brno
Principal Software Engineer, Identity Management Engineering, Red Hat
Freeipa-devel mailing list