TYPO3.Flow

FLOW3 Request Stack
Idea: reconstitute original request after login/validation errors
- > also a way to implement CSRF security w/o hashes on every link/form

Evaluate possibility to make request stack optional:

• if Request Stack is disabled, current request could be attached to links/forms in a serialized form (similar to the hidden referrer fields in Fluid forms now)

If an error occurs (validation error, security exception...)

• catch exception/error

• push current parent request on the stack $request->pushToStack(); or $requestStack->pushRequest($request)

• do something else - > e.g. call authentication entry point (login page)

• in the action controller: $this->replayLastRequest();

• (future feature): if session based request stack is inactive (by configuration) the current request could hold the last request as argument (__referrer...)

foo?@package=MyMainPackage&f3_MyPlugin[@package]=MySubPackage

<input type="hidden" name="__referrer[package]" value="MyMainPackge" />
<input type="hidden" name="f3_MyPlugin[__referrer][package]" value="MySubPackge" />

Questions:

• Should every request be pushed to the stack by default (only the last request)?

• Can hidden referrer fields really be replaced by the stack?

• What about multiple forms on one page? - > should work because we're only interested in the parent request

session based:

login link:

<a href="secure">link</a>
- > push request to stack
- > display login form
- > resume request

form validation:

- > push request to stack (form view helper? no, should happen by default)
<input type="text" name="name" />
- > // validation errors
- > resume request

stateless (without session):

<a href="secure?__referrer=xyz">link</a>
- > display login form - add hidden fields for referrer
- > build request from referrer & arguments from current request

<input type="text" name="name" />
<input type="hidden" name="__referrer.." value="xyz" />
- > // validation errors
- > build request from referrer & arguments from current request

"Normal" login process

- Request1 (show link to protected page)
- RequestStack: Request1

- Request2 (click on link)
- SecurityException - > redirect to login form (Request3)
- RequestStack: Request2, Request3

- Request4 (login form submit)
- Login accepted - > redirect to original Request (Request2)
- RequestStack: Request4

Login process with validation errors:

- Request1 (show link to protected page)
- RequestStack: Request1

- Request2 (click on link)
- SecurityException - > redirect to login form (Request3)
- RequestStack: Request2, Request3

- Request4 (login form submit)
- Login validation error - > redirect to login form with Request3 & arguments from Request4
- RequestStack: Request2, Request3