CSRF name changed in v2.x #3801
-
|
with version 2.x, I can see some random number suffixed to the login csrf name and also the default csrf name is changed. Why is this change? |
Beta Was this translation helpful? Give feedback.
Answered by
terev
Jul 24, 2024
Replies: 2 comments
-
|
The random number is actually a hash of the oauth client's id. Seems to be so that login session csrf tokens are isolated based on the oauth client. In turn this allows concurrent login sessions for different oauth clients to succeed. |
Beta Was this translation helpful? Give feedback.
0 replies
Answer selected by
rubanraj-r
-
|
Thanks @terev |
Beta Was this translation helpful? Give feedback.
0 replies
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
The random number is actually a hash of the oauth client's id. Seems to be so that login session csrf tokens are isolated based on the oauth client. In turn this allows concurrent login sessions for different oauth clients to succeed.