Vojtech Szocs has posted comments on this change. Change subject: userportal,webadmin: token generation fix ......................................................................
Patch Set 1: Code-Review+2 Alex, you are correct. I missed the fact that after session association on server (based on cookie), which happens for both legitimate and malicious request, it doesn't really matter if we read the cookie value -or- if we read the session ID value; both should be the same. I agree that reading session ID instead of cookie will prevent the case of obtaining "stale" token (in a situation where the original session, as indicated by the cookie, has already expired). Personally, I'd prefer to have a separate XSRF token representation to make things more explicit, i.e. md5(httpSessionId) stored as session attribute. This is up to your consideration. Requiring XSRF token acquiry prior to calling backend can defend against malicious sites (running JavaScript), assuming backend will refuse to service malicious requests (XHR is subject to SOP, server can override this with CORS). In case of XSS, this technique is still not efficient; malicious code will have its XHR pass SOP, acquire XSRF token and make malicious backend requests that seem legitimate. I really feel we should stop using cookies altogether. The fact that JavaEE servlet spec uses cookie as determining factor for session association, AFAIK without any possibility to customize request-to-session association, is quite unfortunate. But then again, we can use tricks like mapping headers to/from cookie on HTTP server in front of application server. -- To view, visit http://gerrit.ovirt.org/30849 To unsubscribe, visit http://gerrit.ovirt.org/settings Gerrit-MessageType: comment Gerrit-Change-Id: I3e9a234bada73873f398d4220808f573810440dc Gerrit-PatchSet: 1 Gerrit-Project: ovirt-engine Gerrit-Branch: master Gerrit-Owner: Alexander Wels <aw...@redhat.com> Gerrit-Reviewer: Alexander Wels <aw...@redhat.com> Gerrit-Reviewer: Alon Bar-Lev <alo...@redhat.com> Gerrit-Reviewer: Einav Cohen <eco...@redhat.com> Gerrit-Reviewer: Vojtech Szocs <vsz...@redhat.com> Gerrit-Reviewer: automat...@ovirt.org Gerrit-Reviewer: oVirt Jenkins CI Server Gerrit-HasComments: No _______________________________________________ Engine-patches mailing list Engine-patches@ovirt.org http://lists.ovirt.org/mailman/listinfo/engine-patches
