[Freeipa-devel] [PATCH] keep uid in session until successful update
Rob Crittenden
rcritten at redhat.com
Thu Feb 21 15:17:17 UTC 2008
Simo Sorce wrote:
> On Wed, 2008-02-20 at 16:58 -0500, Rob Crittenden wrote:
>> Don't clear the session until a successful update.
>
> Can you explain what does this change involve?
> Simo.
>
Ok, so the purpose of this originally was to prevent someone being
tricked into doing a POST to the self-service site and change their
password.
There is a server-side session that tries to keep track of the user you
are editing. When it comes time to save any changes it verifies that the
changes that are being saved are being done to the user that was loaded.
The problem is that very early in the update process I clear this value.
It is a problem because if there is an error on the page (like missing
required field, formatting problem, whatever) the user is redirected to
the edit page but the session has already been cleared.
So I've moved the clearing of the session value to after the update is
successful.
rob
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3245 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20080221/85f44a12/attachment.bin>
More information about the Freeipa-devel
mailing list