Github user bhaisaab commented on the pull request:
https://github.com/apache/cloudstack/pull/308#issuecomment-106906370
Hi @rsafonseca, thanks for replying.
- I agree, it's best to force and use SSL than use secure flag.
- Regarding point 3, what I mean to explain is that since rely on
sessionkey passed in the HTTP API parameter when we set sessionkey httponly
cookie we should put a fix to check sessionkey in the cookie as well on a
request. The issue here is that for normal login it would work, because the
login response will send the sessionkey which javascript code will save in a g_
(global) variable and reuse it for future API requests. In case of alternative
auth/login, for example the SAML plugin, we rely only on cookies but if you
make the sessionkey cookie httponly - the JS code won't be able to read that
and future APIs will send empty sessionkey API arg/parameter. Now, to make this
work - the APIServlet needs to check for sessionkey cookie in case sessionkey
HTTP parameter is missing or empty. The SAML plugin would set a sessionkey
cookie that is readable but since in the fix after we authenticate() you're
setting sessionkey cookie to be httponly (so after login/redirection, JS code
won
't be able to read that cookie). If this is confusing, leave it for me - I can
help fix this.
- Regarding point 4, I guess what I meant to say is not to remove the
argument but cover the above case. I agree we don't need to remove it since API
clients may break.
I guess we have some agreement here, please go ahead and make the changes.
I'm working on making the SAML plugin production grade, so I can help test all
aspects of logging/authentication around it as well.
Cheers.
---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastruct...@apache.org or file a JIRA ticket
with INFRA.
---
