Auth form action should not be relative
Closed, InvalidPublic
Actions

Assigned To

Authored By

	jucrouzet
	Apr 23 2014, 8:39 AM

Description

The authentification form url is relative "<form action="/auth/login/password:self/"', it ends in a AphrontCSRFException if :

The user used an http:// url
The phabricator.base-uri is https://

From what i see, if phabricator.base-uri is https:// the cookie is sent with the secure parameter, so the "token" POST parameter is considered as forged by Aphront.

It would be great if :

If the phabricator.base-uri is https:// then all HTTP requests to phabricator are redirected to HTTPS (eventually controlled by a phabricator.force_secure parameter or so)

The Auth form action parameter is generated respecting the phabricator.base-uri parameter

Event Timeline

jucrouzet created this task.Apr 23 2014, 8:39 AM

jucrouzet assigned this task to epriestley.

jucrouzet raised the priority of this task from to Needs Triage.

jucrouzet updated the task description. (Show Details)

jucrouzet added a project: Phabricator.

jucrouzet added a subscriber: jucrouzet.

Have you tried enabling security.require-https?

Oh ... Ok.

Shame on me, sorry for the stupid question.

Auth form action should not be relativeClosed, InvalidPublicActions

Description

Event Timeline

Auth form action should not be relative
Closed, InvalidPublic
Actions