[Freeipa-devel] [PATCH] keep uid in session until successful update
Simo Sorce
ssorce at redhat.com
Thu Feb 21 15:35:11 UTC 2008
On Thu, 2008-02-21 at 10:17 -0500, Rob Crittenden wrote:
> Simo Sorce wrote:
> > On Wed, 2008-02-20 at 16:58 -0500, Rob Crittenden wrote:
> >> Don't clear the session until a successful update.
> >
> > Can you explain what does this change involve?
> > Simo.
> >
>
> Ok, so the purpose of this originally was to prevent someone being
> tricked into doing a POST to the self-service site and change their
> password.
>
> There is a server-side session that tries to keep track of the user you
> are editing. When it comes time to save any changes it verifies that the
> changes that are being saved are being done to the user that was loaded.
>
> The problem is that very early in the update process I clear this value.
> It is a problem because if there is an error on the page (like missing
> required field, formatting problem, whatever) the user is redirected to
> the edit page but the session has already been cleared.
>
> So I've moved the clearing of the session value to after the update is
> successful.
ok, then ack
--
Simo Sorce * Red Hat, Inc * New York
More information about the Freeipa-devel
mailing list