[ovirt-devel] REST API CSRF protection header name
vszocs at redhat.com
Tue Dec 2 18:23:31 UTC 2014
since 3.5 the oVirt REST API features CSRF protection
mechanism via CSRFProtectionFilter, see  for details.
I'd like to ask what's the motivation behind calling the
CSRF token header "JSESSIONID". I think the header name
should reflect its logical purpose to avoid confusion.
Could we rename this header to something more appropriate
like "OVIRT-REST-CSRF-TOKEN" or similar? It would better
reflect the purpose of this (CSRF protection) header.
In future, we can still have another request header with
name "JSESSIONID" for transmitting session ID from client
to server, however this potential new header would have
different purpose (transfer session ID vs. CSRF token).
Each header should have name reflecting its purpose.
(This is just a suggestion.)
More information about the Devel