On 12/02/2014 07:23 PM, Vojtech Szocs wrote:

Hi,

since 3.5 the oVirt REST API features CSRF protection mechanism via CSRFProtectionFilter, see [1] for details.

[1] http://gerrit.ovirt.org/#/c/29681/

I'd like to ask what's the motivation behind calling the CSRF token header "JSESSIONID". I think the header name should reflect its logical purpose to avoid confusion.

The motivation is that the CSRF protection filter checks the session identifier, and as we plan to introduce a header for the session in the future there is no need for an additional header.

Could we rename this header to something more appropriate like "OVIRT-REST-CSRF-TOKEN" or similar? It would better reflect the purpose of this (CSRF protection) header.

In future, we can still have another request header with name "JSESSIONID" for transmitting session ID from client to server, however this potential new header would have different purpose (transfer session ID vs. CSRF token). Each header should have name reflecting its purpose.

(This is just a suggestion.)

Thanks, Vojtech _______________________________________________ Devel mailing list Devel@ovirt.org http://lists.ovirt.org/mailman/listinfo/devel

-- Dirección Comercial: C/Jose Bardasano Baos, 9, Edif. Gorbea 3, planta 3ºD, 28016 Madrid, Spain Inscrita en el Reg. Mercantil de Madrid – C.I.F. B82657941 - Red Hat S.L.