Am 22.05.2014 15:34, schrieb Reindl Harald:
Am 22.05.2014 15:28, schrieb Rosali:
If it your opinion that the login page has to be CSFR protected then OK. BUT I don't want to have sessions started just for CSFR prevention for ANY code which is executed in not authenticated state
you refuse to understand how CSFR works
- at the first call the server generates a token
- the token is placed in a hidden filed
- before take any action the submitted token is verified against the one from the first request
how do you genius imagine this works without storing the token in a session without start a session at all?
I don't refuse how it works. I know how it works. Please read more carefully.
Roundcube has a plugin API and this API has a startu.
CURRENT CODE: Roundcube already executes code which is injected by the hook in question. There is currently no CSFR prevention if you don't use POST or AJAX requests. That's as it is and it is GOOD as is. I started a discussion not to start a session when there is no necessity. There is no necessity to start a session if already EXISTING code does not use the session in question. Currently the session is only used to approve POST and AJAX requests by request tokens. Nothing more and nothing less. So what? I hope this clarifies things for your genious imagine. Start a separate discussion if you are not happy with Roundcube AS IS. All what you are saying is off topic because it has nothing to do with the initial discusion to avoid unnecessary session starts.
hint: you can't do without
Roundcube Development discussion mailing list dev@lists.roundcube.net http://lists.roundcube.net/mailman/listinfo/dev