Jump to content

Recommended Posts

Posted

What i am trying to do is, there is must be a way to login to belsta from another webapplication.   We can login to whmcs from joomla using curl.

So that user can browse whmcs pages without leaving joomla. We are trying to do same for blesta. But csrf token is preventing me from doing that.

Posted

What i am trying to do is, there is must be a way to login to belsta from another webapplication.   We can login to whmcs from joomla using curl.

So that user can browse whmcs pages without leaving joomla. We are trying to do same for blesta. But csrf token is preventing me from doing that.

 

check post #2.

Posted

@CubicWebs

Thanks, but i don't want to add or modify any code in blesta. Without touching any code in blesta, i must be able to login using curl or submitting a form.

csrf token must be on too.

 

Is it possible?

 

Disabling CSRF tokens on the login page is just a configuration file change, and will eliminate CSRF as an obstacle to logging in in a non-standard way.

Posted

one funny thing is that whmcs too have this token, but curl works even if you provide any value for it.

It's generated by blesta and changes every time you refresh. Therefore its hard to implement it outside blesta and blesta is secured enough so there's no need to worry.

Posted

Do you think asking customer to disable the CSRF token is good? 

 

Paul is referring to disabling CSRF token validation for the client login page only. Disabling CSRF token validation on a login form does not introduce any security vulnerabilities. At best an attacker that knows a particular user's login credentials could trick that (or another) user into logging into that system. Of course, if your login credentials are known to an attacker you have bigger problems to worry about.

Posted

There are a number of ways shared login could be handled using a plugin. I mentioned one of them in another thread. Using a plugin would be the most preferable way as it would not require any changes in Blesta. But for those who don't want to or can't create a plugin, disabling CSRF check on client login is the best solution.

 

Another simple way of implementing shared login through a plugin would be to have the plugin generate a unique, time-restricted token for a given user, then redirect the user to the plugin with the token (which could then forward the user to a separate page), or perform an AJAX request on the plugin URL.

Posted

Hi thanks for the reply.

 

So i have two options

 

1)Disable the CSRF check on client login is the best solution.

2)Create a plugin to generate token for a user. Use API from joomla to get the token. in this way we can implement login with token too.

 

Am i right?

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
×
×
  • Create New...