On Sat, 12 Feb 2011 23:38:33 +0100, Philip Iezzi wrote:
Hi
You were introducing (better) CSRF protection in RC 0.5.1. In RC 0.5 we were able to provide our own custom login forms (on a different domain) for Roundcube. In 0.5.1 those forms no longer work, probably due to the missing "_token" POST request param. We're getting redirected to the login form right after submitting the login credentials.
We provide both "_user" and "_pass" input fields but are not able to provide the hidden "_token" field as this token gets generated by RC. Example login form that works perfectly under RC 0.5: https://my.onlime.ch/index/webmail
Is there any workaround for this in RC 0.5.1? I couldn't find any hints about custom login forms in your Wiki.
You could use a plugin (startup hook):
function startup($arg)
{
// in this example outside login form must submit 'ajax=1' to
detect // a login attempt if(!empty($_POST['ajax']) && !empty($_POST['_user']) && !empty($_POST['_pass'])){ // perhaps some additional checks f.e. HTTP Referer ... $_POST['_token'] = $_SESSION['request_tokens']['login']; } return $args; }
Thanks! Regards, Philip _______________________________________________ List info: http://lists.roundcube.net/dev/ BT/8d1870bd
List info: http://lists.roundcube.net/dev/ BT/aba52c80