On Mon, Sep 02, 2013 at 05:57:16PM +0200, Petr Vobornik wrote:
> >
> >Could we change the CSRF protection method from the Referrer check to
> >some user session specific token?
>
> I don't think we can use the recommended method[1] where CSFR token
> is stored in a requested page(ie in hidden element) because we don't
> generate UI on a server.
> 
> The only way to use the token, which I see, is to create CSFR token
> on login and returned it in a cookie.

Does it have to be cookie?

What is the result of a login operation? It seems that at least for
the /ipa/session/login_password call, it is the result of
finalize_kerberos_acquisition which is return [''], and that empty
string is ignored by IPA.login_password's success_handler. Could the
return be the token, and get stored either to IPA.ui.csrf_token or
similar place, or stored to an element in the DOM? You don't really
need to use cookies for that.

-- 
Jan Pazdziora | adelton at #ipa*, #brno
Principal Software Engineer, Identity Management Engineering, Red Hat

_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Reply via email to