Google Git
Sign in
gerrit / gerrit / a6b36ae97fbcb4cf30b59e94c01783288970ff29
commita6b36ae97fbcb4cf30b59e94c01783288970ff29[log] [tgz]
authorShawn O. Pearce <sop@google.com>Wed Oct 26 16:57:26 2011 -0700
committerShawn O. Pearce <sop@google.com>Mon Oct 31 17:35:30 2011 -0700
tree738eb45de8fe83ad1ef6ddb14e6b69a97fec0828
parent6acda54742093d17581bf38309589a9c5b22a979 [diff]
Embed the XSRF token in the host page again

If the servlet container forces 'HttpOnly' on us for our account
session cookie, we can't use that to prevent cross site forgery.
Instead embed a token that is unique to this session into the host
page, and have the web UI echo that token back on each request.
We'll validate the token matches the session cookie on the server,
and then simply never rotate it within the lifespan of the session.

Change-Id: Ia9678335b7446eab8a6ee7f043e03f928707b1ad
Signed-off-by: Shawn O. Pearce <sop@google.com>
5 files changed
tree: 738eb45de8fe83ad1ef6ddb14e6b69a97fec0828
  1. contrib/
  2. Documentation/
  3. gerrit-antlr/
  4. gerrit-common/
  5. gerrit-gwtdebug/
  6. gerrit-gwtui/
  7. gerrit-httpd/
  8. gerrit-launcher/
  9. gerrit-main/
  10. gerrit-patch-commonsnet/
  11. gerrit-patch-jgit/
  12. gerrit-pgm/
  13. gerrit-prettify/
  14. gerrit-reviewdb/
  15. gerrit-server/
  16. gerrit-sshd/
  17. gerrit-util-cli/
  18. gerrit-util-ssl/
  19. gerrit-war/
  20. ReleaseNotes/
  21. tools/
  22. .gitignore
  23. COPYING
  24. INSTALL
  25. pom.xml
  26. SUBMITTING_PATCHES