[ovirt-devel] REST API CSRF protection header name
Juan Hernández
jhernand at redhat.com
Wed Dec 3 08:44:32 UTC 2014
On 12/02/2014 07:23 PM, Vojtech Szocs wrote:
> Hi,
>
> since 3.5 the oVirt REST API features CSRF protection
> mechanism via CSRFProtectionFilter, see [1] for details.
>
> [1] http://gerrit.ovirt.org/#/c/29681/
>
> I'd like to ask what's the motivation behind calling the
> CSRF token header "JSESSIONID". I think the header name
> should reflect its logical purpose to avoid confusion.
>
The motivation is that the CSRF protection filter checks the session
identifier, and as we plan to introduce a header for the session in the
future there is no need for an additional header.
> Could we rename this header to something more appropriate
> like "OVIRT-REST-CSRF-TOKEN" or similar? It would better
> reflect the purpose of this (CSRF protection) header.
>
> In future, we can still have another request header with
> name "JSESSIONID" for transmitting session ID from client
> to server, however this potential new header would have
> different purpose (transfer session ID vs. CSRF token).
> Each header should have name reflecting its purpose.
>
> (This is just a suggestion.)
>
> Thanks,
> Vojtech
> _______________________________________________
> Devel mailing list
> Devel at ovirt.org
> http://lists.ovirt.org/mailman/listinfo/devel
>
--
Dirección Comercial: C/Jose Bardasano Baos, 9, Edif. Gorbea 3, planta
3ºD, 28016 Madrid, Spain
Inscrita en el Reg. Mercantil de Madrid – C.I.F. B82657941 - Red Hat S.L.
More information about the Devel
mailing list