Comment 1 for bug 1197459
Revision history for this message
| Loganathan Parthipan (parthipan) wrote | #1 |
© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
1b1ed1a
(Get the code!)
A possible design to address this without having to change noVNC:
1. Generate the URL as usual.
2. Upon the first use of the URL:
2.1 replace the token within nova to a new token (effectively invalidating the original token)
2.2 Set this new token as a session cookie (secure=True, httponly=True) in the browser
3. Subsequent Authentications (for html and js resources) will use this session cookie
4. Upon switching to websockets, invalidate the session cookie both from the browser and the token from nova.
I don't think if step 4 is a good approach. A better way would be to track the state of the authentication in the server side so that no new auth can be done with this token but leave the existing connection use it as necessary. But this would require more changes.