Ruby on Rails Friday, December 28, 2012

Hey Jim, don't be a jerk, especially when your answer is wrong.

Using <%= form_authenticity_token %> doesn't work because you don't have
a server to dynamically insert content into html as an app is static and
packaged on the client device (iPhone/iPad).

CSRF should not be a possible attack inside of an app. Your session is
isolated to the app and cross domain origin policies in the browser will
prevent the attack. Also, since you are using an app you can implement
sessions without the use of cookies entirely.

Posted via

You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group.
To post to this group, send email to
To unsubscribe from this group, send email to
For more options, visit

No comments:

Post a Comment