AJAX-Chat
AJAX-Chat copied to clipboard
Frug
Revert logout as POST back to logout as REQUEST
Logout as POST basically breaks logging out for integration versions and it doesn't seem like the best (or easiest) solution to make it work that way.
Revert logout back to a REQUEST var and include a security token to prevent XSS exploit.
Why would you want it as a POST anyway?.. Doesnt make much sense to me.
Von meinem iPhone gesendet
Am 08.03.2013 um 18:38 schrieb Philip Nicolcev [email protected]:
Logout as POST basically breaks logging out for integration versions and it doesn't seem like the best (or easiest) solution to make it work that way.
Revert logout back to a REQUEST var and include a security token to prevent XSS exploit.
— Reply to this email directly or view it on GitHub.
Because a REQUEST variable without a token is vulnerable to XSS attacks. It's very easy for me to force you to log out of your own chat right now. It's the same reason the text variable was changed to POST.
The real question is: why would you want it as REQUEST? I think it was easier to code that way.
I can see your point. But i was confused fr
Von meinem iPhone gesendetom the tpe, i thought someone wanted the logout method changed
Am 08.03.2013 um 18:54 schrieb Philip Nicolcev [email protected]:
Because a REQUEST variable without a token is vulnerable to XSS attacks. It's very easy for me to force you to log out of your own chat right now. It's the same reason the text variable was changed to POST.
The real question is: why would you want it as REQUEST? I think it was easier to code that way.
— Reply to this email directly or view it on GitHub.
The problem is that the logout request variable is used for both logging out and checking by auto-login in the integration versions. If you simplify things and let the second role to be played by a second variable (say noautologin) then the bugfix becomes trivial:
- In
config.phpput:$config['logoutData'] = './?noautologin'; - In
AJAXChat::initRequestVars()initialize the new variable$this->_requestVars['noautologin'] = isset($_REQUEST['noautologin']); - In
CustomAJAXChat::initCustomRequestVars()check for the new variable:if(!$this->getRequestVar('noautologin') ...
That's what I was thinking about doing.
The reason I hesitate is because, if you think about it, the login page doesn't make much sense in these cases. If you are already logged in, it shouldn't show the username/password fields at all. Instead it should just have a login button and maybe a list of online users, like being in a lobby.
What I mean is there is a difference between logging out of an authentication system, and leaving chat. I was hoping to find a better way to distinguish these two commands.
As a matter of fact, this has bothered me too for quiet some time. A second intro (or outro) page for logged in users would be a nice addition to the chat software and I am all for it.