All geek questions in one place

How to pass anti-fake state to Google or javascript login button?

I follow this guide to create a login button.

https://developers.google.com/+/web/signin/server-side-flow

But I donโ€™t see how the anti-fake state is transmitted to the button fragment (step 4).

Should there be a parameter, for example, the data state for the button?

The full tutorial does not mention how the status code is passed from the page to the google server and back to my signInCallback function.

<div id="signinButton"> <span class="g-signin" data-scope="https://www.googleapis.com/auth/plus.login" data-clientid="YOUR_CLIENT_ID" data-redirecturi="postmessage" data-accesstype="offline" data-cookiepolicy="single_host_origin" data-callback="signInCallback"> </span> </div>

Then, in step 6, I donโ€™t see how the state is passed to the ajax server call. So how does this if-condition work in step 7?

if request.args.get ('state', '')! = session ['state']:

Thanks for any help in advance.

+4
source share
2 answers

After a short conversation, I found that there is an undocumented parameter for the button, the data state. Once I installed it, I could return to my callback function.

 <div id="signinButton"> <span class="g-signin" data-scope="https://www.googleapis.com/auth/plus.login" data-clientid="YOUR_CLIENT_ID" data-state="MY_STATE" <!-- The state is sent to Google and back to my callback --> data-redirecturi="postmessage" data-accesstype="offline" data-cookiepolicy="single_host_origin" data-callback="signInCallback"> </span> </div>
+7
source

The state ends with the value stored in the session variable. Sessions are usually presented as session cookies, which are random. A cookie session file is automatically sent along with the ajax request, so there is nothing specific you need to do. I'm not sure if PHP puts the status code in a cookie directly or uses a session cookie to track the session, but it should be equally effective in any case. The whole point of the anti-fake code is to make sure that someone cannot blindly attack your server.

You will notice that this has nothing to do with the button itself. You do not need to send it to Google, and Google does not want to. It is just between your server and the displayed page.

0
source

Source: https://habr.com/ru/post/1482056/

More articles:


All Articles