[Freeipa-devel] IPA Server UI Behind Proxy
Petr Vobornik
pvoborni at redhat.com
Tue Sep 3 07:57:45 UTC 2013
On 09/03/2013 02:50 AM, Jan Pazdziora wrote:
> On Mon, Sep 02, 2013 at 05:57:16PM +0200, Petr Vobornik wrote:
>>>
>>> Could we change the CSRF protection method from the Referrer check to
>>> some user session specific token?
>>
>> I don't think we can use the recommended method[1] where CSFR token
>> is stored in a requested page(ie in hidden element) because we don't
>> generate UI on a server.
>>
>> The only way to use the token, which I see, is to create CSFR token
>> on login and returned it in a cookie.
>
> Does it have to be cookie?
>
> What is the result of a login operation? It seems that at least for
> the /ipa/session/login_password call, it is the result of
> finalize_kerberos_acquisition which is return [''], and that empty
> string is ignored by IPA.login_password's success_handler. Could the
> return be the token, and get stored either to IPA.ui.csrf_token or
> similar place, or stored to an element in the DOM? You don't really
> need to use cookies for that.
>
It has one drawback. You won't have access to the token if you open new
instance of Web UI because you already have a session and therefore
don't need to log in.
I suppose we can create a new handler (can't be a command) which new Web
UI instance would call to obtain the token. Special care would be needed
to prevent cross origin usage though.
IMO the cookie is more secure, but I'm not a security expert ...
--
Petr Vobornik
More information about the Freeipa-devel
mailing list