[ovirt-devel] REST API CSRF protection header name

Vojtech Szocs vszocs at redhat.com
Tue Dec 2 18:23:31 UTC 2014


since 3.5 the oVirt REST API features CSRF protection
mechanism via CSRFProtectionFilter, see [1] for details.

[1] http://gerrit.ovirt.org/#/c/29681/

I'd like to ask what's the motivation behind calling the
CSRF token header "JSESSIONID". I think the header name
should reflect its logical purpose to avoid confusion.

Could we rename this header to something more appropriate
like "OVIRT-REST-CSRF-TOKEN" or similar? It would better
reflect the purpose of this (CSRF protection) header.

In future, we can still have another request header with
name "JSESSIONID" for transmitting session ID from client
to server, however this potential new header would have
different purpose (transfer session ID vs. CSRF token).
Each header should have name reflecting its purpose.

(This is just a suggestion.)


More information about the Devel mailing list