[ovirt-devel] REST API CSRF protection header name

Juan Hernández jhernand at redhat.com
Wed Dec 3 08:44:32 UTC 2014


On 12/02/2014 07:23 PM, Vojtech Szocs wrote:
> Hi,
> 
> since 3.5 the oVirt REST API features CSRF protection
> mechanism via CSRFProtectionFilter, see [1] for details.
> 
> [1] http://gerrit.ovirt.org/#/c/29681/
> 
> I'd like to ask what's the motivation behind calling the
> CSRF token header "JSESSIONID". I think the header name
> should reflect its logical purpose to avoid confusion.
> 

The motivation is that the CSRF protection filter checks the session
identifier, and as we plan to introduce a header for the session in the
future there is no need for an additional header.

> Could we rename this header to something more appropriate
> like "OVIRT-REST-CSRF-TOKEN" or similar? It would better
> reflect the purpose of this (CSRF protection) header.
> 
> In future, we can still have another request header with
> name "JSESSIONID" for transmitting session ID from client
> to server, however this potential new header would have
> different purpose (transfer session ID vs. CSRF token).
> Each header should have name reflecting its purpose.
> 
> (This is just a suggestion.)
> 
> Thanks,
> Vojtech
> _______________________________________________
> Devel mailing list
> Devel at ovirt.org
> http://lists.ovirt.org/mailman/listinfo/devel
> 


-- 
Dirección Comercial: C/Jose Bardasano Baos, 9, Edif. Gorbea 3, planta
3ºD, 28016 Madrid, Spain
Inscrita en el Reg. Mercantil de Madrid – C.I.F. B82657941 - Red Hat S.L.



More information about the Devel mailing list