Alexander Wels has posted comments on this change. Change subject: userportal,webadmin: token generation fix ......................................................................
Patch Set 1: I am not seeing how I am exposing any more information than before. Right now it calculates a hash based on the jsessionid cookie that is passed in by the client. This value 99% of the time is the same as the current http session id. In one particular case the values will be different, namely the session has timed out and the client doesn't know it for whatever reason. Then the following happens currently, the client sends a request for an xsrf token and passes in a stale jessionid cookie. A token based on this value is now generated, AND a new jsessionid cookie is sent to the client. The token and cookie are no longer in sync. So whatever next request is made that requires a token will fail. This patch instead of reading the cookie, it reads the session id on the server to generate the proper token. But most of the time the cookie and session id are the same. -- To view, visit http://gerrit.ovirt.org/30849 To unsubscribe, visit http://gerrit.ovirt.org/settings Gerrit-MessageType: comment Gerrit-Change-Id: I3e9a234bada73873f398d4220808f573810440dc Gerrit-PatchSet: 1 Gerrit-Project: ovirt-engine Gerrit-Branch: master Gerrit-Owner: Alexander Wels <aw...@redhat.com> Gerrit-Reviewer: Alexander Wels <aw...@redhat.com> Gerrit-Reviewer: Alon Bar-Lev <alo...@redhat.com> Gerrit-Reviewer: Einav Cohen <eco...@redhat.com> Gerrit-Reviewer: Vojtech Szocs <vsz...@redhat.com> Gerrit-Reviewer: automat...@ovirt.org Gerrit-Reviewer: oVirt Jenkins CI Server Gerrit-HasComments: No _______________________________________________ Engine-patches mailing list Engine-patches@ovirt.org http://lists.ovirt.org/mailman/listinfo/engine-patches
