Hi,
http://apidock.com/rails/ActionController/RequestForgeryProtection only maintains one CSRF token at a time. When a user visits some site, he gets a new token in the session. He then might open a linked site of the same rails app in a new browser tab (maybe some info he'd like to read), and again he will get a new token. Then he changes to the first tab again and submits a form on that site (e.g. registration). Then he will get an InvalidAuthenticityToken error, but it was a legal and common user behavior rather that request forgery.
- Is there a way to store e.g. a map with POST URLs as keys and CSFR tokens as values?
- Or storing a list of the last n CSFR tokens? The authentication procedure should then first check the newest token etc.
Luma
You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group.
To unsubscribe from this group and stop receiving emails from it, send an email to rubyonrails-talk+unsubscribe@googlegroups.com.
To post to this group, send email to rubyonrails-talk@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msg/rubyonrails-talk/-/RWB4vKLUURgJ.
For more options, visit https://groups.google.com/groups/opt_out.
No comments:
Post a Comment