Commits on Aug 22, 2024

1. Remove the undocumented login-with-token page …

   There are several problems with this feature:
   
   1. To use it, you have to put the user's token in the URL. This token lasts
      forever (unless the user explicitly logs out), so it is nearly as
      sensitive as the user's password. Embedding such sensitive information in
      the URL is problematic, because URLs are saved in the browser history,
      dumped to server logs and displayed on the screen, none of which are
      secure locations. A user could also accidentally share a URL with an
      embedded token.
   
   2. If an attacker can get a user to follow a malicious link, they could
      forcibly log that user into the attacker's account (AKA "login CSRF").
      This by itself is just a nuisance, but the attacker could potentially use
      this to trick the victim into, for example, uploading confidential data
      to the attacker's account.
   
   3. By design, it requires the use of token authentication, whose drawbacks I
      have explained in cvat-ai#8289.
   
      In fairness, when originally implemented, this feature set the session
      cookie rather than the token, but this cannot work if the user is already
      logged in, as the `sessionid` cookie is marked `HTTPOnly` and cannot be
      overridden by JavaScript. So the only way for this feature to work in all
      circumstances is to set the token.
   
   Generally, the use cases of this feature are better served by single sign-on
   protocols, which don't suffer from these drawbacks.

   

   SpecLad committed Aug 22, 2024
   Configuration menu

   • View commit details
   • Copy full SHA for f3ebea1
   • Browse repository at this point

   Copy the full SHA

   f3ebea1 View commit details

   Browse the repository at this point in the history