Hi
You were introducing (better) CSRF protection in RC 0.5.1. In RC 0.5 we were able to provide our own custom login forms (on a different domain) for Roundcube. In 0.5.1 those forms no longer work, probably due to the missing "_token" POST request param. We're getting redirected to the login form right after submitting the login credentials.
We provide both "_user" and "_pass" input fields but are not able to provide the hidden "_token" field as this token gets generated by RC. Example login form that works perfectly under RC 0.5: https://my.onlime.ch/index/webmail
Is there any workaround for this in RC 0.5.1? I couldn't find any hints about custom login forms in your Wiki.
Thanks! Regards, Philip _______________________________________________ List info: http://lists.roundcube.net/dev/ BT/aba52c80
On Sat, 12 Feb 2011 23:38:33 +0100, Philip Iezzi wrote:
Hi
You were introducing (better) CSRF protection in RC 0.5.1. In RC 0.5 we were able to provide our own custom login forms (on a different domain) for Roundcube. In 0.5.1 those forms no longer work, probably due to the missing "_token" POST request param. We're getting redirected to the login form right after submitting the login credentials.
We provide both "_user" and "_pass" input fields but are not able to provide the hidden "_token" field as this token gets generated by RC. Example login form that works perfectly under RC 0.5: https://my.onlime.ch/index/webmail
Is there any workaround for this in RC 0.5.1? I couldn't find any hints about custom login forms in your Wiki.
You could use a plugin (startup hook):
function startup($arg)
{
// in this example outside login form must submit 'ajax=1' to
detect // a login attempt if(!empty($_POST['ajax']) && !empty($_POST['_user']) && !empty($_POST['_pass'])){ // perhaps some additional checks f.e. HTTP Referer ... $_POST['_token'] = $_SESSION['request_tokens']['login']; } return $args; }
Thanks! Regards, Philip _______________________________________________ List info: http://lists.roundcube.net/dev/ BT/8d1870bd
List info: http://lists.roundcube.net/dev/ BT/aba52c80
Philip Iezzi wrote:
Hi
You were introducing (better) CSRF protection in RC 0.5.1. In RC 0.5 we were able to provide our own custom login forms (on a different domain) for Roundcube. In 0.5.1 those forms no longer work, probably due to the missing "_token" POST request param. We're getting redirected to the login form right after submitting the login credentials.
We provide both "_user" and "_pass" input fields but are not able to provide the hidden "_token" field as this token gets generated by RC. Example login form that works perfectly under RC 0.5: https://my.onlime.ch/index/webmail
Is there any workaround for this in RC 0.5.1? I couldn't find any hints about custom login forms in your Wiki.
You have to create a small plugin which hooks into the 'authenticate' hook and set the 'valid' field to true. See http://trac.roundcube.net/wiki/Plugin_Hooks#authenticate
To keep CSFR protection you could do some additional checks (e.g. Referer check) to check the origin of the login request before setting 'valid' to true.
Regards, Thomas
List info: http://lists.roundcube.net/dev/ BT/aba52c80
Am 14.02.2011 um 10:50 schrieb Thomas Bruederli:
Philip Iezzi wrote:
Hi
You were introducing (better) CSRF protection in RC 0.5.1. In RC 0.5 we were able to provide our own custom login forms (on a different domain) for Roundcube. In 0.5.1 those forms no longer work, probably due to the missing "_token" POST request param. We're getting redirected to the login form right after submitting the login credentials.
We provide both "_user" and "_pass" input fields but are not able to provide the hidden "_token" field as this token gets generated by RC. Example login form that works perfectly under RC 0.5: https://my.onlime.ch/index/webmail
Is there any workaround for this in RC 0.5.1? I couldn't find any hints about custom login forms in your Wiki.
You have to create a small plugin which hooks into the 'authenticate' hook and set the 'valid' field to true. See http://trac.roundcube.net/wiki/Plugin_Hooks#authenticate
To keep CSFR protection you could do some additional checks (e.g. Referer check) to check the origin of the login request before setting 'valid' to true.
Regards, Thomas
Hi Thomas & Roland
Thanks a lot for your solution that works perfectly for me. Could you please consider to integrate such a plugin in future versions of RC? I've attached my plugin "onlime_custom_login" for anybody else who runs into this problem in RC 0.5.1
Regards, Philip
--- 8< --- detachments --- 8< --- The following attachments have been detached and are available for viewing. http://detached.gigo.com/rc/cJ/5CGBnChk/config.inc.php.dist http://detached.gigo.com/rc/cJ/5CGBnChk/onlime_custom_login.php Only click these links if you trust the sender, as well as this message. --- 8< --- detachments --- 8< ---
List info: http://lists.roundcube.net/dev/ BT/aba52c80
-
Philip Iezzi -
Roland Liebl -
Thomas Bruederli