[RCD] Roundcube session management

Cor Bosman cor at xs4all.nl
Thu May 22 22:08:30 CEST 2014


I dont think anyone really wants to remove CSRF tokens from the login page. They have a use, no matter how small the risk. The protection is basically against people that dont have access to your login screen, but somehow manage to (make you) post to your login screen anyways. Thats enough reason to have sessions in the login screen, and Rosali should probably use a shell script to run those crontabs. Thats a much cleaner solution. 

> * what if your mailserver has rate-controls

Well, stop clicking that forged link then :)  

Cor


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 203 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://lists.roundcube.net/pipermail/dev/attachments/20140522/f838af04/attachment.sig>


More information about the dev mailing list