[FLOW3-general] Remove csrfToken from URL
Steffen Wickham
steffen at gaming-inc.de
Fri Feb 8 10:58:55 CET 2013
Hello Rudy,
one method is to add the @Flow\SkipCsrfProtection annotation for each
action.
There is a configuration value called "csrfStrategy" in the
Configuration.yaml within the Flow package. I'm not get in touch with it
right now, but maybe you find a better solution for your problem by
changing this value.
Greetings
Steffen
Am 08.02.13 10:06, schrieb Rudy Gnodde:
> Hello all,
>
> I'm working on my first Flow application. I do have experience with
> Extbase, so most things are at least familiar.
>
> For this application people need to log in, so I set up authentication
> using a PersistedUsernamePasswordProvider. This works fine, except
> that all URLs are appended by a __csrfToken parameter. Normally this
> wouldn't technically be a problem, but this application should be
> available offline using applicationCache. The problem is that after
> each login the __csrfToken in the URL changes, which means it will be
> seen as a separate page and is cached as a separate entity. This
> results in duplicate cache entries.
>
> So, my question is: Is there a way to remove the __csrfToken parameter
> from the URL (without breaking authentication)?
>
> Thanks,
>
> Rudy
> _______________________________________________
> FLOW3-general mailing list
> FLOW3-general at lists.typo3.org
> http://lists.typo3.org/cgi-bin/mailman/listinfo/flow3-general
More information about the FLOW3-general
mailing list