Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Refactoring and repairing login form #424

Merged
merged 6 commits into from
Oct 9, 2018

Conversation

ikedas
Copy link
Member

@ikedas ikedas commented Sep 30, 2018

This PR is additional fixes to PR #411 related to issue #268.

  • [change] Won't keep track of "referer" by parameters in forms because such things may be prey of CSRF. Use session variable "redirect_url" instead to keep URL where login action will return to.
  • [-bug] Regression: Information of the last login was not shown, since this feature has been prevented by redirection.
  • [-bug] Regression: javascript: refresh_mom_and_die() had not worked, since "nomenu" parameter has not been passed with POST request.
  • Refactoring and correcting feature of sympa_altemails cookie (see alternative_email_attribute in auth.conf(5)):
    • It is dangerous to use cookie for keeping information of alternative emails. Cookie thrown back by clients will no longer be used by Sympa: Information will be kept in session store so that it will be protected.
    • [Note] It is not obvious that this feature is really used, and maybe it would be better to be deprecated in the future.
  • [-feature] Extend size of data_session field in database to keep session data.
  • Other related fixups.

- Won't keep track of "referer" by parameters in forms: Use session variable "redirect_url" instead.
- web_tt2/loginrequest.tt2 was deprecated: web_tt2/login.tt2 will be used.
- Several other fixups.
- Cookie threw back by clients will no longer be used: Value of cookie will be kept in session store.

It is not obvious that this feature is really used. Maybe deprecated in the future.
Currently, estimated max. size of content is approx. 2000 octets, besides alt_emails attribute. Thus 2000 o is required and more is recommended.
- MySQL & SQLite: "text" type may still be used.
- ODBC: varchar allows 8000 o, sometimes 4000 o: Use "varchar(4000)".
- Oracle: Oracle 7 allows 2000 o and 8 and later allow 4000 o: Use "varchar2(2000)".
- PostgreSQL: Change "varchar()" to a compatible type "text".
@ikedas ikedas added the bug label Sep 30, 2018
@ikedas ikedas changed the title Refactor login form Refactoring and repairing login form Sep 30, 2018
@ikedas ikedas merged commit 6e49079 into sympa-community:sympa-6.2 Oct 9, 2018
@ikedas ikedas added this to the 6.2.38 milestone Oct 9, 2018
@ikedas ikedas deleted the issue-268-addition branch October 9, 2018 05:30
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

Successfully merging this pull request may close these issues.

1 participant