revi-archive/phorge-phorge
1
0
Fork 0
mirror of https://we.phorge.it/source/phorge.git synced 2024-12-01 03:02:43 +01:00
Code Issues Releases Wiki Activity
phorge-phorge/src/applications/auth/controller
History
epriestley 69ddb0ced6 Issue "anonymous" sessions for logged-out users 
Summary:
Ref T4339. Ref T4310. Currently, sessions look like `"afad85d675fda87a4fadd54"`, and are only issued for logged-in users. To support logged-out CSRF and (eventually) external user sessions, I made two small changes:

  - First, sessions now have a "kind", which is indicated by a prefix, like `"A/ab987asdcas7dca"`. This mostly allows us to issue session queries more efficiently: we don't have to issue a query at all for anonymous sessions, and can join the correct table for user and external sessions and save a query. Generally, this gives us more debugging information and more opportunity to recover from issues in a user-friendly way, as with the "invalid session" error in this diff.
  - Secondly, if you load a page and don't have a session, we give you an anonymous session. This is just a secret with no special significance.

This does not implement CSRF yet, but gives us a client secret we can use to implement it.

Test Plan:
  - Logged in.
  - Logged out.
  - Browsed around.
  - Logged in again.
  - Went through link/register.

Reviewers: btrahan

Reviewed By: btrahan

CC: aran

Maniphest Tasks: T4310, T4339

Differential Revision: https://secure.phabricator.com/D8043
2014-01-23 14:03:22 -08:00
..
config Move PhabricatorTagView to PHUITagView 2014-01-14 14:09:52 -08:00
PhabricatorAuthConfirmLinkController.php Provide convenience method addTextCrumb() to PhabricatorCrumbsView 2013-12-18 17:47:34 -08:00
PhabricatorAuthController.php Consolidate use of magical cookie name strings 2014-01-23 14:01:35 -08:00
PhabricatorAuthLinkController.php Consolidate use of magical cookie name strings 2014-01-23 14:01:35 -08:00
PhabricatorAuthLoginController.php Consolidate use of magical cookie name strings 2014-01-23 14:01:35 -08:00
PhabricatorAuthNeedsApprovalController.php Slightly improve behavior for unverified + unapproved users 2013-11-21 12:58:58 -08:00
PhabricatorAuthOldOAuthRedirectController.php Make old GitHub OAuth URIs work for now 2013-06-21 06:11:57 -07:00
PhabricatorAuthRegisterController.php Add a common password blacklist 2014-01-23 14:01:18 -08:00
PhabricatorAuthStartController.php Issue "anonymous" sessions for logged-out users 2014-01-23 14:03:22 -08:00
PhabricatorAuthUnlinkController.php Move all account link / unlink to new registration flow 2013-06-17 06:12:45 -07:00
PhabricatorAuthValidateController.php Consolidate use of magical cookie name strings 2014-01-23 14:01:35 -08:00
PhabricatorDisabledUserController.php Restore merge of phutil_tag. 2013-02-13 14:51:18 -08:00
PhabricatorEmailLoginController.php Provide convenience method addTextCrumb() to PhabricatorCrumbsView 2013-12-18 17:47:34 -08:00
PhabricatorEmailTokenController.php Consolidate use of magical cookie name strings 2014-01-23 14:01:35 -08:00
PhabricatorEmailVerificationController.php Provide convenience method addTextCrumb() to PhabricatorCrumbsView 2013-12-18 17:47:34 -08:00
PhabricatorLogoutController.php Consolidate use of magical cookie name strings 2014-01-23 14:01:35 -08:00
PhabricatorMustVerifyEmailController.php Recover more flexibly from an already-verified email 2013-11-21 14:41:32 -08:00
PhabricatorRefreshCSRFController.php Delete license headers from files 2012-11-05 11:16:51 -08:00