[FLOW3-general] Remove csrfToken from URL
Christian Müller
christian.mueller at typo3.org
Fri Feb 8 10:54:16 CET 2013
Hi Rudy,
for sure there is. You can annotate your actions with
@Flow\SkipCsrfProtection this will not generate a csrfToken for those
actions.
It won't break authentication but be aware that this could be a security
issue if logged in users are tricked into clicking on a link that
executes some action in their rights space. That is what the csrf token
should prevent.
Cheers,
Christian
On 08.02.13 10:06, Rudy Gnodde wrote:
> Hello all,
>
> I'm working on my first Flow application. I do have experience with
> Extbase, so most things are at least familiar.
>
> For this application people need to log in, so I set up authentication
> using a PersistedUsernamePasswordProvider. This works fine, except
> that all URLs are appended by a __csrfToken parameter. Normally this
> wouldn't technically be a problem, but this application should be
> available offline using applicationCache. The problem is that after
> each login the __csrfToken in the URL changes, which means it will be
> seen as a separate page and is cached as a separate entity. This
> results in duplicate cache entries.
>
> So, my question is: Is there a way to remove the __csrfToken parameter
> from the URL (without breaking authentication)?
>
> Thanks,
>
> Rudy
More information about the FLOW3-general
mailing list