Monday, 2014-09-29

*** openstack has joined #openstack-horizon		12:40
mrunge	mflobo, you have a feature request for a specific view right now, right?	12:41
mflobo	mrunge, yes	12:41
mflobo	mrunge, I want to split the image list for project dahsboard in N HTML tables, instead only one	12:42
mrunge	mflobo, yes, I saw your question on ask.openstack.org	12:42
mflobo	mrunge, so, I want to modify all the _data_table HTML's related only for this view	12:42
mrunge	mflobo, sorting of image list does not help you?	12:42
mflobo	mrunge, no it doesn't, because I need separate tables, one table per "flavor"	12:43
*** sayali has quit IRC		12:43
mrunge	mflobo, because you'll have different actions?	12:44
mrunge	mflobo, or is this to differentiate types better?	12:45
mflobo	mrunge, it is to differentiate types better	12:45
mflobo	mrunge, I will upload an picture example y ask.openstack.org question	12:46
mrunge	mflobo, great.	12:46
*** tosky has quit IRC		12:48
mflobo	mrunge, this is my use case https://ask.openstack.org/upfiles/14119948625876313.png	12:48
mrunge	mflobo, and what about grouping them in instances as well?	12:49
mflobo	mrunge, my use case is only for image list, not for other lists in Horizon like instances	12:49
mrunge	mflobo, no interest for this in other instance lists as well?	12:50
mflobo	mrunge, no, only in image list	12:50
mrunge	mflobo, how do you differentiate your images?	12:51
mrunge	just by naming convention?	12:51
mflobo	mrunge, in this case by images properties	12:51
mrunge	mflobo, we were thinking about adding arbitrary tags to images	12:52
mrunge	so, I was currently thinking of making a view sorted by tags	12:52
mrunge	(or so)	12:52
mflobo	mrunge, In that case you need something similar than me: the capability to re-define some HTML views	12:53
mrunge	mflobo, in my case, that should be available in other tables as well	12:54
mrunge	mflobo, could you please file a blueprint: https://blueprints.launchpad.net/horizon	12:54
mflobo	mrunge, ok, understand, your case is different	12:54
mrunge	and attach your image there?	12:55
mrunge	mflobo, sorry, I have to run out to get my kids from school	12:55
mflobo	mrunge, ok, don't worry, thanks a lot for your time!	12:55
*** sayali has joined #openstack-horizon		12:57
*** neelashah has joined #openstack-horizon		12:58
*** _crobertsrh is now known as crobertsrh		13:01
*** jacalcat has joined #openstack-horizon		13:01
*** aberezin has quit IRC		13:05
*** jacalcat has quit IRC		13:17
*** julim has joined #openstack-horizon		13:24
*** tosky has joined #openstack-horizon		13:29
*** gokrokve has joined #openstack-horizon		13:32
*** pawels has joined #openstack-horizon		13:32
*** krykowski has joined #openstack-horizon		13:34
*** gokrokve has quit IRC		13:36
*** mrunge has quit IRC		13:38
*** sigmavirus24 has joined #openstack-horizon		13:43
*** Dafna has quit IRC		13:46
*** radez_g0n3 is now known as radez		13:46
*** masco has quit IRC		13:47
*** Dafna has joined #openstack-horizon		13:53
*** bfic has quit IRC		13:58
*** gokrokve has joined #openstack-horizon		13:58
*** krykowski has quit IRC		14:04
*** pawels has quit IRC		14:05
sambetts	doug-fish: ping	14:08
*** woodm1979 has joined #openstack-horizon		14:09
doug-fish	sambetts: hi	14:09
sambetts	doug-fish: Hi! o/ Just wondering if you had a chance to look at my reply here: https://review.openstack.org/#/c/118334/ and if you had any more thoughts on the way forward with this patch	14:10
*** krykowski has joined #openstack-horizon		14:13
doug-fish	sambetts: Just looking at your response now ... AFAIK there isn't an obivous solution to the problem you are working. Horizon itself doen't have any persistent storage. Django supports that (of course), but then really steps up the amount of release to release maintentance that needed, so that approach proabably won't be well received ...	14:13
doug-fish	I think there is some idea/discussion/concept of adding metadata to keystone users, that might be a better approach	14:14
sambetts	doug-fish: haha thats what I was just asking :-P	14:14
doug-fish	oh	14:14
sambetts	doug-fish: meant about to ask	14:14
doug-fish	I was going to say ... I must have really misunderstood your question!	14:15
sambetts	sorry about that, it I just found it funny that we came to a simlar thought at the same time, do you think I should hold off on working on that patch further then, its really just a bandaid until that keystone stuff gets implemented	14:16
doug-fish	well I think its worth figuring out the current state of keystone ...	14:17
doug-fish	if the support is there maybe you should just make Horizon use that as storage?	14:18
*** john-davidge has joined #openstack-horizon		14:18
*** sayan has joined #openstack-horizon		14:18
*** jomara has joined #openstack-horizon		14:19
*** jomara_ has quit IRC		14:21
*** dkorn has quit IRC		14:21
*** ZZelle has quit IRC		14:28
*** ZZelle has joined #openstack-horizon		14:28
doug-fish	it's not clear to me keystone has the support. I'm asking in their channel now	14:28
*** jrist has joined #openstack-horizon		14:30
*** aix has quit IRC		14:31
*** krykowski has quit IRC		14:31
*** rwsu has joined #openstack-horizon		14:33
*** k4n0 has quit IRC		14:34
*** gokrokve_ has joined #openstack-horizon		14:35
*** gokrokve_ has quit IRC		14:37
*** gokrokve_ has joined #openstack-horizon		14:37
*** gokrokve has quit IRC		14:38
*** jprovazn has quit IRC		14:40
*** ericpeterson has joined #openstack-horizon		14:41
*** Drago has joined #openstack-horizon		14:52
*** Drago1 has joined #openstack-horizon		14:54
*** bpokorny has quit IRC		14:54
*** bpokorny has joined #openstack-horizon		15:03
*** julim has quit IRC		15:04
*** vijendar has joined #openstack-horizon		15:06
*** med_ has quit IRC		15:07
*** julim has joined #openstack-horizon		15:08
*** rbertram has joined #openstack-horizon		15:10
*** Drago has quit IRC		15:12
*** Drago has joined #openstack-horizon		15:12
doug-fish	sambetts: so using keystone won't be an option	15:17
sambetts	doug-fish: seems like it	15:17
doug-fish	We've avoided using a DB in Horizon ... I think its mostly because of the release to release resposibilities for managing it	15:17
sambetts	Yes, I get that, I've had that issue managing migrations before	15:18
doug-fish	I think if you could make the preferences optionally readable/writeable to a configurable DB or cookies that would solve the problem.	15:19
*** rdopieralski has quit IRC		15:20
*** Longgeek has quit IRC		15:20
doug-fish	sort of like how the session data can be configured to use different backends	15:20
sambetts	with the cookie mode should we maintain the fix I've proposed? Otherwise there will still be the inter-user settings leak	15:21
*** david-lyle has joined #openstack-horizon		15:21
*** jacalcat has joined #openstack-horizon		15:22
doug-fish	I dont' think so, to me the complications of using per user cookies are greater than the benefits	15:22
sambetts	what complication are you seeing?	15:23
doug-fish	complication is taht the request sizes will get larger for each user than has ever signed in to that browser	15:23
morganfainberg	doug-fish, i might be forgetting this, but i think you can do sub-cookies that are independent of the site-cookie	15:25
*** sbfox has joined #openstack-horizon		15:25
morganfainberg	doug-fish, but honestly it's been since 2010 since i've had to fight with web apps	15:25
doug-fish	morganfainberg: are you thinking of cookies scoped to the path?	15:25
sambetts	I can see having 1 - 3 but I can't see that one browser would be used for more than that?	15:25
morganfainberg	doug-fish, hm, maybe.	15:25
sambetts	if thats the case, then the operator might need to consider changing horizon storage backend anyway	15:26
morganfainberg	doug-fish, i remember having to solve this issue / work with it when i worked at $big_social_network_that_isnt_facebook$	15:26
*** sbfox has quit IRC		15:27
*** Guest73730 is now known as mgagne		15:29
*** mgagne has quit IRC		15:29
*** mgagne has joined #openstack-horizon		15:29
doug-fish	sambetts: it could be that I'm paranoid. I'm concerned about this kind of multiple-user behavior being able to affect the site performance.	15:29
*** vokhrimenko has quit IRC		15:33
*** Ala has quit IRC		15:34
sambetts	doug-fish: Its certainly tricky, what if we moved the user prefs into JSON, so you had 1 cookie entry per user	15:35
*** radez is now known as radez_g0n3		15:36
*** EmilyW has joined #openstack-horizon		15:36
doug-fish	maybe. Again, my concern is really that the size of the cookies being passed back and forth is going to grow each time a new user has preferences ....	15:37
doug-fish	putting in one cookie per user would help some because the user id wouldn't be repeated in each cookie name	15:37
*** gokrokve has joined #openstack-horizon		15:38
sambetts	doug-fish: How about this, if we use scoped cookies, scoped to auth/login or something so that those user prefs aren't sent everytime, just sent once then held in the session?	15:39
ericpeterson	reality: if you have a decent sized deployment, you won't use cookies as the main session backend	15:40
doug-fish	I wonder if it would be too obscure to remove the name for each value from the cookie as well. It could just be treated like a tuple where the position of the value implies which name is goes with	15:40
doug-fish	ericpeterson: we are talking about user prefs	15:40
ericpeterson	yeah, and that stuff is fine to store in the cookies doug-fish	15:40
doug-fish	and https://review.openstack.org/#/c/118334/	15:40
doug-fish	ericpeterson: if that change doesn't concern you I'd feel much better about it.	15:40
ericpeterson	yeah, those cookies are going to be pretty small. those I think are fine with that change	15:42
*** gokrokve_ has quit IRC		15:42
*** gokrokve has quit IRC		15:42
*** radez_g0n3 is now known as radez		15:42
ericpeterson	it's the token / session cookie that blows up at 4k or whatever the limit is.... that's the killer one	15:42
david-lyle	doug-fish the upper limit for total cookie size is 4K	15:43
ericpeterson	stuff like eric_page_limit=20 or whatever is minor	15:43
ericpeterson	stuff like erics	15:43
doug-fish	yeah, so these per user cookies are cutting in to the same space	15:43
ericpeterson	_seccion= dfsgsegsergsregesg (+4k+ is the hassle	15:43
doug-fish	the same 4k limit	15:43
ericpeterson	oh that sucks. I didn't realize they share the same limit	15:44
david-lyle	Yeah you can have like 50 cookies, but they can only sum to 4K	15:44
*** rebelagentm has joined #openstack-horizon		15:45
ericpeterson	but again, for this change..... how many times do you have multiple logins on that same machine??? we would be more impacted than most users, I bet	15:45
doug-fish	sure, but why exacerbate the cookie problem if this isn't a real user problem?	15:46
ericpeterson	yeah, I'm kind of -0.5 - + 0.25 on this change	15:47
doug-fish	lol	15:47
doug-fish	that's not an option	15:47
doug-fish	commit man!	15:48
ericpeterson	I wish gerrit had a range of how I felt	15:48
doug-fish	lol	15:48
doug-fish	I'd feel better about it if the names were shorter	15:49
doug-fish	89cfffa8541245ce91a49a4cdeff4cf2_django_timezone	15:49
ericpeterson	better that than the user name, sec consideration	15:49
sambetts	I would think something like 89cfffa8541245ce91a49a4cdeff4cf2 : { tz:, lang:, items: } would be neater	15:51
sambetts	less repetition of the user ID	15:51
ericpeterson	+1 on that approach	15:51
doug-fish	yep, that's looking pretty good	15:52
doug-fish	and if you used a user name instead of id that woud save some space too	15:52
doug-fish	(in most cases)	15:52
sambetts	are user names unique?	15:52
ericpeterson	no user name	15:52
doug-fish	unique enough for this purpose?	15:53
ericpeterson	I think the concern is more that the user name is left in the browser, which might be a secret	15:53
doug-fish	oh	15:54
doug-fish	hadn't thought of that	15:54
doug-fish	uid isn't secret?	15:54
ericpeterson	it is kind of... but you don't login with the user id	15:54
*** nlahouti has joined #openstack-horizon		15:54
doug-fish	yes I see	15:54
ericpeterson	so exposing that doesn't give someone 50% of the login info	15:54
sambetts	it definatly provides less information about whos logged in to the browser previously	15:54
doug-fish	so I can +1 the 89cfffa8541245ce91a49a4cdeff4cf2 : { tz:, lang:, items: } idea	15:55
*** jcoufal has quit IRC		15:56
*** EMW has joined #openstack-horizon		16:00
sambetts	doug-fish: Ok I'll get that implemented and pushed up :-)	16:01
doug-fish	sambetts: sounds good!	16:03
*** EmilyW has quit IRC		16:03
*** Drago has quit IRC		16:14
*** rm_work is now known as rm_work\|away		16:14
*** Drago has joined #openstack-horizon		16:16
*** Drago has quit IRC		16:16
*** Drago has joined #openstack-horizon		16:16
*** EMW has quit IRC		16:18
*** rm_work\|away is now known as rm_work		16:20
*** pkarikh has quit IRC		16:21
*** amotoki has quit IRC		16:27
*** radez is now known as radez_g0n3		16:27
*** jasondotstar has joined #openstack-horizon		16:29
*** alexpilotti_ has joined #openstack-horizon		16:33
*** sambetts has quit IRC		16:34
*** gokrokve has joined #openstack-horizon		16:34
*** radez_g0n3 is now known as radez		16:34
*** alexpilotti has quit IRC		16:34
*** alexpilotti_ is now known as alexpilotti		16:34
*** tosky has quit IRC		16:43
*** ygbo has quit IRC		16:44
*** sbfox has joined #openstack-horizon		16:49
*** ArcTanSusan has joined #openstack-horizon		16:50
*** jrist has quit IRC		16:58
*** gokrokve has quit IRC		16:59
*** gokrokve has joined #openstack-horizon		16:59
*** e0ne has quit IRC		17:02
ericpeterson	low hanging fruit bugs..... when you have certain listings that don't and instead we list a bunch of entries.... the overflow css should turn on scrolling past a reasonable limit	17:04
ericpeterson	that don't page I meant	17:04
*** sigmavirus24 is now known as sigmavirus24_awa		17:05
*** dsneddon has joined #openstack-horizon		17:10
*** qba73 has quit IRC		17:10
*** sbfox has quit IRC		17:11
*** athomas has quit IRC		17:13
*** harlowja has joined #openstack-horizon		17:16
*** hhuang has quit IRC		17:19
*** Dafna has quit IRC		17:21
*** harlowja has quit IRC		17:22
*** jrist has joined #openstack-horizon		17:24
*** harlowja has joined #openstack-horizon		17:24
*** sbfox has joined #openstack-horizon		17:26
*** halede has joined #openstack-horizon		17:27
*** ZZelle_ has joined #openstack-horizon		17:28
*** clu_ has joined #openstack-horizon		17:28
*** david-lyle has quit IRC		17:29
*** david-lyle has joined #openstack-horizon		17:29
*** athomas has joined #openstack-horizon		17:31
*** john-davidge has quit IRC		17:31
*** regebro has quit IRC		17:33
*** bpokorny_ has joined #openstack-horizon		17:33
*** EMW has joined #openstack-horizon		17:34
*** bpokorny has quit IRC		17:36
*** romainh has left #openstack-horizon		17:37
*** david-lyle has quit IRC		17:38
*** bpokorny has joined #openstack-horizon		17:43
*** e0ne has joined #openstack-horizon		17:44
*** ArcTanSusan has quit IRC		17:46
*** bpokorny_ has quit IRC		17:46
*** lsmola has quit IRC		18:01
*** sbfox has quit IRC		18:04
*** vijendar has quit IRC		18:04
*** jgravel_ has quit IRC		18:05
*** sigmavirus24_awa is now known as sigmavirus24		18:10
*** gokrokve has quit IRC		18:14
*** gary-smith has quit IRC		18:17
*** sbfox has joined #openstack-horizon		18:21
*** akrivoka has quit IRC		18:24
*** sayan has quit IRC		18:25
*** gokrokve has joined #openstack-horizon		18:26
*** gokrokve has quit IRC		18:27
*** gary-smith has joined #openstack-horizon		18:29
*** gokrokve has joined #openstack-horizon		18:29
*** gary-smith has quit IRC		18:30
*** gary-smith has joined #openstack-horizon		18:32
*** gokrokve has quit IRC		18:34
*** gokrokve has joined #openstack-horizon		18:35
*** e0ne has quit IRC		18:35
*** EMW has quit IRC		18:40
*** vijendar has joined #openstack-horizon		18:41
*** bpokorny has quit IRC		18:50
*** AndroUser2 has joined #openstack-horizon		18:50
*** AndroUser2 is now known as david-lyle		18:51
*** bpokorny has joined #openstack-horizon		18:53
*** ArcTanSusan has joined #openstack-horizon		18:56
*** Drago has quit IRC		18:56
*** Sukhdev has joined #openstack-horizon		18:58
*** pawels has joined #openstack-horizon		19:00
*** bpokorny_ has joined #openstack-horizon		19:09
*** jay-atl has quit IRC		19:10
*** bpokorny has quit IRC		19:12
*** radez is now known as radez_g0n3		19:20
*** jacalcat has quit IRC		19:21
*** ericpeterson has quit IRC		19:22
*** ericpeterson has joined #openstack-horizon		19:26
*** EmilyW has joined #openstack-horizon		19:26
*** alexpilotti has quit IRC		19:29
doug-fish	hey gary-smith, are you avail to talk about https://bugs.launchpad.net/horizon/+bug/1369865	19:30
doug-fish	I'm wondering if we should invalidate that bug. It seems to me the CSRFtoken it suppose to have a very long expiration: https://docs.djangoproject.com/en/dev/ref/contrib/csrf/#how-it-works	19:31
doug-fish	But I have to confess, I can't fully understand the problems that token is suppose to solve	19:32
gary-smith	ok	19:32
doug-fish	you think there is some risk with that?	19:33
gary-smith	I had seen some hack mentioned wrt to this. I'll have to go dig it up	19:34
ericpeterson	expires=Fri, 11-Sep-2015 07:52:52 GMT -> that is probably a bit too long. you want that to be something like how long would someone reasonably keep their browser open for	19:34
*** e0ne has joined #openstack-horizon		19:38
gary-smith	that or just use a session cookie	19:38
doug-fish	ericpeterson: when I read that django doc I linked above it sounded to me that they really wanted it to never expire	19:38
doug-fish	isn't this an additional protection, used along with a session cookie?	19:38
doug-fish	sorry	19:38
doug-fish	I'm mixing up terms	19:38
ericpeterson	it's used on every form post, with or without the user being logged in	19:39
doug-fish	I don't really understand what its supposed to be protecting	19:39
*** nlahouti has quit IRC		19:39
ericpeterson	the server gives out a random token to the browser.... this prevents anyone from randomly posting from any site.... or at least is filters out many initial DOS attacks	19:40
doug-fish	but stealing one isn't especially helpful is it?	19:40
doug-fish	Horizon will give anyone a CSRFToken who points their browser at it	19:41
*** dsneddon is now known as dsneddon_lunch		19:41
ericpeterson	correct, but i think part of that csrf thing helps cylce the token frequently and keep you from just reusing it	19:42
gary-smith	I believe if a hacker had access to the csrftoken, they could include it in a post, making it appear legit	19:42
ericpeterson	yep	19:42
doug-fish	wouldn't they need a sessionId cookie as well?	19:43
gary-smith	no	19:43
gary-smith	with csrf attacks, the idea is that the hacker creates a web page that does a post (in this case) to horizon	19:44
ericpeterson	but the chttps://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)_Prevention_Cheat_Sheet#General_Recommendation:_Synchronizer_Token_Pattern	19:44
ericpeterson	sorry, that link might not have come through :o	19:44
gary-smith	and the browser will automatically give the session token to horizon	19:44
gary-smith	(although the hacker's site will not have access to that token)	19:44
doug-fish	okay, I'll read up a bit ... thanks for the info + the link!	19:46
gary-smith	the page ericpeterson points to suggests going further and re-generating a new csrf token for every request	19:47
ericpeterson	yeah, that might be overkill	19:47
gary-smith	but i would suspect that that would require more changes in horizon. At a minimum, making it a session token (one with expires=0) would be an improvement	19:48
ericpeterson	but I have seen cases where horizon gets an error where your csrf stuff doesn't match up. I think if you change your secret_key that is one way to almost force the issue	19:48
ericpeterson	(not that changing the secret_key is a good idea, it is supposed to break stuff when you change that)	19:48
gary-smith	what is "secret_key" ?	19:48
gary-smith	doesn't appear to be a cookie	19:49
*** harlowja has quit IRC		19:50
ericpeterson	it's a django setting to setup determine how to encrypt stuff like the session info	19:50
gary-smith	ah, ok	19:50
ericpeterson	https://docs.djangoproject.com/en/1.7/ref/settings/#std:setting-SECRET_KEY	19:50
ericpeterson	in the case of horizon, if you set it up in a HA mode you will want to have a shared secret key	19:51
doug-fish	gary-smith, ericpeterson: you guys think this is nonsense? https://groups.google.com/forum/#!msg/django-developers/3vG7H3kRBZ0/rZmJFazA4YMJ	19:52
*** radez_g0n3 is now known as radez		19:53
ericpeterson	it's on the internet, it's totally true	19:53
ericpeterson	seriously, I believe that though	19:53
ericpeterson	not that all things on the internet are true.... but that link sounds right to me	19:54
*** harlowja has joined #openstack-horizon		19:55
*** pawels has quit IRC		19:55
gary-smith	FWIW, this bug (1369865) appears to be the output of some automatic website security evaluation tool that doesn't take this kind of stuff into account	19:55
doug-fish	gary-smith, agreed.	19:56
doug-fish	I'm just trying to sort out if there is a real security exposure here, and how serious it is	19:56
doug-fish	My first assertion is that this isn't a security problem, its what the django developers had in mind. But I dont' understand the concept well enough yet to really make that assertion.	19:57
gary-smith	that is much appreciated. I took a look, read a few pages, and it looked like a potential problem, with probably a simple solution (changing the expiration)	19:57
gary-smith	but if further research shows that it's not a problem, then that is fine, too	19:57
*** gokrokve has quit IRC		19:58
gary-smith	(I am not a web security expert, in case that was not abundantly clear)	19:58
doug-fish	lol	19:58
doug-fish	understood.	19:58
*** gokrokve has joined #openstack-horizon		19:59
gary-smith	There is a similar bug, https://bugs.launchpad.net/horizon/+bug/1369870, found by that same tool. Have you guys ever heard of a "messages" cookie?	20:00
*** pawels has joined #openstack-horizon		20:01
doug-fish	gary-smith ... I'm almost certain I've reviewed code related to the messages cookie ....	20:02
*** jay-atl has joined #openstack-horizon		20:03
gary-smith	I found a use in horizon/test/helpers.py... now I just have to see where this is test-only	20:04
gary-smith	c/where/whether/	20:04
doug-fish	no, I don't think so ...	20:04
doug-fish	I think its these things: https://docs.djangoproject.com/en/1.6/ref/contrib/messages/	20:05
doug-fish	oh nice:	20:06
doug-fish	https://docs.djangoproject.com/en/1.6/ref/contrib/messages/#django.contrib.messages.storage.cookie.CookieStorage	20:06
doug-fish	it looks like the messages are signed	20:06
*** jacalcat has joined #openstack-horizon		20:06
gary-smith	very helpful	20:06
*** jay-atl has quit IRC		20:08
*** jay-atl has joined #openstack-horizon		20:09
doug-fish	ooh check this out: https://docs.djangoproject.com/en/dev/ref/settings/#csrf-cookie-age	20:09
doug-fish	once we get to 1.7 we can set the age of the csrf cookie	20:10
*** jay-atl has quit IRC		20:10
gary-smith	good. Is there a way to adjust this pre-1.7 ?	20:12
*** jay-atl has joined #openstack-horizon		20:13
gary-smith	Similarly, https://docs.djangoproject.com/en/dev/ref/settings/#session-cookie-secure is only available in 1.7 to secure the messages cookie	20:13
*** subbu_ has joined #openstack-horizon		20:14
*** julim has quit IRC		20:17
*** pawels has quit IRC		20:17
*** sbfox has quit IRC		20:20
*** ArcTanSusan has quit IRC		20:24
doug-fish	gary-smith: I'd think the only way to adjust the age of the csrf cookie prior to 1.7 would be to patch this code: https://github.com/django/django/blob/1.6c1/django/middleware/csrf.py#L197	20:25
*** ttrifonov is now known as ttrifonov_zZzz		20:25
gary-smith	yuck	20:27
gary-smith	or maybe extend the CsrfViewMiddleware class and supply an alternate process_response method	20:28
doug-fish	I understand why the CSRF token works if its on a per request basis, but for these longer ones (either sesssion or a year) I don't understand what it provides beyond requiring a valid sessionId	20:28
doug-fish	yeah that's better	20:28
*** ArcTanSusan has joined #openstack-horizon		20:29
gary-smith	I think the idea is that the csrf token has to be somewhere in the payload of the POST, and that CSRF attacks don't have access to these cookies	20:30
*** ArcTanSusan has quit IRC		20:31
*** bpokorny_ has quit IRC		20:36
*** nlahouti has joined #openstack-horizon		20:36
*** sbfox has joined #openstack-horizon		20:37
*** bpokorny has joined #openstack-horizon		20:40
*** crobertsrh is now known as _crobertsrh		20:48
*** radez is now known as radez_g0n3		20:48
*** e0ne has quit IRC		20:52
*** aix has joined #openstack-horizon		20:56
*** e0ne has joined #openstack-horizon		20:56
*** Sukhdev has quit IRC		20:58
*** ArcTanSusan has joined #openstack-horizon		21:01
*** jcoufal has joined #openstack-horizon		21:02
*** cedrics has quit IRC		21:03
*** TravT has joined #openstack-horizon		21:03
*** Sukhdev has joined #openstack-horizon		21:09
*** EMW has joined #openstack-horizon		21:09
*** EmilyW has quit IRC		21:11
*** Drago1 has quit IRC		21:12
*** EmilyW has joined #openstack-horizon		21:13
*** sayali has quit IRC		21:16
*** EMW has quit IRC		21:17
*** Drago1 has joined #openstack-horizon		21:18
*** david-lyle has quit IRC		21:19
*** Drago has joined #openstack-horizon		21:24
*** Drago has quit IRC		21:25
*** Drago has joined #openstack-horizon		21:25
*** bpokorny has quit IRC		21:27
*** david-lyle has joined #openstack-horizon		21:30
*** david-lyle has quit IRC		21:31
*** david-lyle has joined #openstack-horizon		21:32
*** jtomasek has quit IRC		21:32
*** bpokorny has joined #openstack-horizon		21:35
*** ArcTanSusan has quit IRC		21:37
*** neelashah has quit IRC		21:47
*** ArcTanSusan has joined #openstack-horizon		21:48
*** jgravel has joined #openstack-horizon		21:49
*** ericpeterson has quit IRC		21:56
*** aix_ has joined #openstack-horizon		21:57
*** rebelagentm has quit IRC		21:57
*** dsneddon_lunch is now known as dsneddon		21:58
*** jcoufal has quit IRC		21:59
*** nlahouti has quit IRC		22:00
*** aix has quit IRC		22:00
*** nlahouti has joined #openstack-horizon		22:00
*** nlahouti has quit IRC		22:03
*** EMW has joined #openstack-horizon		22:05
*** EmilyW has quit IRC		22:06
*** mikedillion has joined #openstack-horizon		22:10
*** rbertram has quit IRC		22:17
*** mikedillion has quit IRC		22:23
*** e0ne has quit IRC		22:29
*** mikedillion has joined #openstack-horizon		22:30
*** jasondotstar has quit IRC		22:33
*** e0ne has joined #openstack-horizon		22:33
*** e0ne has quit IRC		22:33
*** alexpilotti has joined #openstack-horizon		22:38
*** neillc has joined #openstack-horizon		22:38
*** nlahouti has joined #openstack-horizon		22:47
*** ZZelle_ has quit IRC		22:47
*** nlahouti has quit IRC		22:47
*** woodm1979 has quit IRC		22:48
*** r1chardj0n3s is now known as r1chardj0n3s_afk		22:48
*** nlahouti has joined #openstack-horizon		22:51
*** nlahouti has quit IRC		22:51
*** jacalcat has quit IRC		22:52
gary-smith	david-lyle: question about https://bugs.launchpad.net/horizon/+bug/1374931	22:54
gary-smith	think that oughta be critical?	22:54
gary-smith	it prevents launching instances from volume snapshots	22:55
*** nlahouti has joined #openstack-horizon		23:00
*** sigmavirus24 is now known as sigmavirus24_awa		23:08
*** Sukhdev has quit IRC		23:08
*** ArcTanSusan has quit IRC		23:10
*** ArcTanSusan has joined #openstack-horizon		23:15
*** david-lyle has quit IRC		23:16
*** doug-fish has left #openstack-horizon		23:17
*** r1chardj0n3s_afk is now known as r1chardj0n3s		23:24
*** mikedillion has quit IRC		23:25
*** neillc has quit IRC		23:33
*** EMW has quit IRC		23:34
*** Sukhdev has joined #openstack-horizon		23:38
*** lhcheng has joined #openstack-horizon		23:54
*** gokrokve has quit IRC		23:55
*** TravT has quit IRC		23:56
*** lhcheng has joined #openstack-horizon		23:58
*** lhcheng has left #openstack-horizon		23:58
*** harlowja is now known as harlowja_away		23:59
*** lhcheng has joined #openstack-horizon		23:59
*** lhcheng has left #openstack-horizon		23:59
*** lcheng has joined #openstack-horizon		23:59

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!