Re: [ovirt-devel] REST API CSRF protection header name
On 12/02/2014 07:23 PM, Vojtech Szocs wrote:
Hi,
since 3.5 the oVirt REST API features CSRF protection
mechanism via CSRFProtectionFilter, see [1] for details.
[1] http://gerrit.ovirt.org/#/c/29681/
I'd like to ask what's the motivation behind calling the
CSRF token header "JSESSIONID". I think the header name
should reflect its logical purpose to avoid confusion.
The motivation is that the CSRF protection filter checks the session
identifier, and as we plan to introduce a header for the session in the
future there is no need for an additional header.
Could we rename this header to something more appropriate
like "OVIRT-REST-CSRF-TOKEN" or similar? It would better
reflect the purpose of this (CSRF protection) header.
In future, we can still have another request header with
name "JSESSIONID" for transmitting session ID from client
to server, however this potential new header would have
different purpose (transfer session ID vs. CSRF token).
Each header should have name reflecting its purpose.
(This is just a suggestion.)
Thanks,
Vojtech
_______________________________________________
Devel mailing list
Devel(a)ovirt.org
http://lists.ovirt.org/mailman/listinfo/devel
--
Dirección Comercial: C/Jose Bardasano Baos, 9, Edif. Gorbea 3, planta
3ºD, 28016 Madrid, Spain
Inscrita en el Reg. Mercantil de Madrid – C.I.F. B82657941 - Red Hat S.L.