[FLOW3-general] Remove csrfToken from URL
Christian Müller
christian.mueller at typo3.org
Fri Feb 8 11:06:09 CET 2013
Hey,
the csrfStrategy setting is only for deciding how often the token is
renewed. For total security you might want to change it in every request
but that can be difficult because you basically cannot execute ajax
requests as you don't know the next token. So default is to have a new
token per session.
Cheers,
Christian
On 08.02.13 10:58, Steffen Wickham wrote:
> Hello Rudy,
>
> one method is to add the @Flow\SkipCsrfProtection annotation for each
> action.
>
> There is a configuration value called "csrfStrategy" in the
> Configuration.yaml within the Flow package. I'm not get in touch with it
> right now, but maybe you find a better solution for your problem by
> changing this value.
>
> Greetings
> Steffen
>
>
>
> Am 08.02.13 10:06, schrieb Rudy Gnodde:
>> Hello all,
>>
>> I'm working on my first Flow application. I do have experience with
>> Extbase, so most things are at least familiar.
>>
>> For this application people need to log in, so I set up authentication
>> using a PersistedUsernamePasswordProvider. This works fine, except
>> that all URLs are appended by a __csrfToken parameter. Normally this
>> wouldn't technically be a problem, but this application should be
>> available offline using applicationCache. The problem is that after
>> each login the __csrfToken in the URL changes, which means it will be
>> seen as a separate page and is cached as a separate entity. This
>> results in duplicate cache entries.
>>
>> So, my question is: Is there a way to remove the __csrfToken parameter
>> from the URL (without breaking authentication)?
>>
>> Thanks,
>>
>> Rudy
>> _______________________________________________
>> FLOW3-general mailing list
>> FLOW3-general at lists.typo3.org
>> http://lists.typo3.org/cgi-bin/mailman/listinfo/flow3-general
More information about the FLOW3-general
mailing list