cloudstack-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From bhaisaab <...@git.apache.org>
Subject [GitHub] cloudstack pull request: Reinstate working sessions in browser
Date Fri, 29 May 2015 19:14:02 GMT
Github user bhaisaab commented on the pull request:

    https://github.com/apache/cloudstack/pull/308#issuecomment-106906370
  
    Hi @rsafonseca, thanks for replying.
    
    - I agree, it's best to force and use SSL than use secure flag.
    - Regarding point 3, what I mean to explain is that since rely on sessionkey passed in
the HTTP API parameter when we set sessionkey httponly cookie we should put a fix to check
sessionkey in the cookie as well on a request. The issue here is that for normal login it
would work, because the login response will send the sessionkey which javascript code will
save in a g_ (global) variable and reuse it for future API requests. In case of alternative
auth/login, for example the SAML plugin, we rely only on cookies but if you make the sessionkey
cookie httponly - the JS code won't be able to read that and future APIs will send empty sessionkey
API arg/parameter. Now, to make this work - the APIServlet needs to check for sessionkey cookie
in case sessionkey HTTP parameter is missing or empty. The SAML plugin would set a sessionkey
cookie that is readable but since in the fix after we authenticate() you're setting sessionkey
cookie to be httponly (so after login/redirection, JS code won
 't be able to read that cookie). If this is confusing, leave it for me - I can help fix this.
    - Regarding point 4, I guess what I meant to say is not to remove the argument but cover
the above case. I agree we don't need to remove it since API clients may break.
    
    I guess we have some agreement here, please go ahead and make the changes. I'm working
on making the SAML plugin production grade, so I can help test all aspects of logging/authentication
around it as well.
    
    Cheers.


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---

Mime
View raw message