As I (try to) implement the Account Management specification, I came across the need to make a way to, given simply a username and password (POSTed), to login the user. I immediately thought of the main/login action, which seems to do just that. However, main/login uses a token to create CSRF (cross site request forgery) protection, so it cannot be used for the account management specification's purpose.
As far as my understanding of CSRF goes, the username/password login process isn't vulnerable to such as attack (because the user isn't logged in yet, and it's not a target for malicious action, like posting a notice would be). Therefore, I'd like to remove the CSRF protection from the main/login action. And if that's okay, I'd also like to remove the CSRF protection from main/openid (for the same reasons). Thoughts? ~Craig _______________________________________________ StatusNet-dev mailing list StatusNet-dev@lists.status.net http://lists.status.net/mailman/listinfo/statusnet-dev
