Am 22.05.2014 15:34, schrieb Reindl Harald:
Am 22.05.2014 15:28, schrieb Rosali:
If it your opinion that the login page has to be CSFR protected then
OK.
BUT I don't want to have sessions started just for CSFR prevention for
ANY
code which is executed in not authenticated state
you refuse to understand how CSFR works
* at the first call the server generates a token
* the token is placed in a hidden filed
* before take any action the submitted token is verified
against the one from the first request
how do you genius imagine this works without storing the
token in a session without start a session at all?
I don't refuse how it works. I know how it works. Please read more
carefully.
Roundcube has a plugin API and this API has a startu.
CURRENT CODE: Roundcube already executes code which is injected by the
hook in question. There is currently no CSFR prevention if you don't use
POST or AJAX requests. That's as it is and it is GOOD as is. I started a
discussion not to start a session when there is no necessity. There is
no necessity to start a session if already EXISTING code does not use
the session in question. Currently the session is only used to approve
POST and AJAX requests by request tokens. Nothing more and nothing less.
So what? I hope this clarifies things for your genious imagine. Start a
separate discussion if you are not happy with Roundcube AS IS. All what
you are saying is off topic because it has nothing to do with the
initial discusion to avoid unnecessary session starts.
hint: you can't do without
_______________________________________________
Roundcube Development discussion mailing list
[email protected]
http://lists.roundcube.net/mailman/listinfo/dev
_______________________________________________
Roundcube Development discussion mailing list
[email protected]
http://lists.roundcube.net/mailman/listinfo/dev
