[FLOW3-general] Remove csrfToken from URL
Rudy Gnodde
rgn at windinternet.nl
Fri Feb 8 11:14:51 CET 2013
Op 8-2-2013 10:54, Christian Müller schreef:
> Hi Rudy,
>
> for sure there is. You can annotate your actions with
> @Flow\SkipCsrfProtection this will not generate a csrfToken for those
> actions.
> It won't break authentication but be aware that this could be a security
> issue if logged in users are tricked into clicking on a link that
> executes some action in their rights space. That is what the csrf token
> should prevent.
>
> Cheers,
> Christian
>
>
I did see that option, but assumed it would break authentication. I
guess I didn't understand what the CSRF token is for. Now I know.
There are only two actions that need to be available offline, so I added
it to those and it works. Thanks.
More information about the FLOW3-general
mailing list