CSRF questions

Running ruby 1.9.3 and Rails 3.2.8.

I feel like I’m not fully understanding how CSRF works.

I have protect_from_forgery in my ApplicationController.

So, now should all non-GET requests require an authentication token?

Specifically, I have a destroymethod that doesn’t seem to care if a
token is present or not.
(I can submit a curl request in terminal, and it doesn’t balk.)

Does being in development have something to do with it?

Thanks.

On Monday, August 20, 2012 5:47:11 PM UTC+1, Johnny wrote:

Running ruby 1.9.3 and Rails 3.2.8.

I feel like I’m not fully understanding how CSRF works.

I have protect_from_forgery in my ApplicationController.

So, now should all non-GET requests require an authentication token?

Yes (unless you explicitly skip the before filter that does that
verification)

Specifically, I have a destroymethod that doesn’t seem to care if a
token is present or not.
(I can submit a curl request in terminal, and it doesn’t balk.)

What happens? The default action when the token is missing or invalid is
to
reset the session (to clear your credentials. there is also a hook for
libraries like devise to zap their credential storage) and then continue
processing the request. Given that CSRF is about using a users
credentials
without them knowing it, then if the action didn’t require
authentication
in the first place it is considered ok. You can overwrite
the handle_unverified_request if you want to change this (for example
you
could restore the rails 2.x behaviour which was to raise an exception)

Does being in development have something to do with it

No

Fred

This forum is not affiliated to the Ruby language, Ruby on Rails framework, nor any Ruby applications discussed here.

| Privacy Policy | Terms of Service | Remote Ruby Jobs