CSRF tokens for mobile apps

I have an existing rails backend website which makes json ajax calls to
my
server and I was passing csrf tokens in every ajax call. Now,I am
developing a mobile iOS app to use the same backend and send calls in
json.
However, mobile requests are failing with “Can’t verify CSRF token
authenticity”, because i dont know of anyway to send the csrf token to
rails from app.

Looking around, many people are suggesting to disable CSRF protection if
the call is json call - but I dont want to do that because my website
all
uses json calls and that leaves my site open for attacks.

My question is:

  1. How can i let my iOS app know the rails generated csrf token to use
    it
    in all app calls to server? Is it possible

  2. Is there any other way that I can work around this problem?

Thanks,
Anish

Anish,

Check out this post

http://stackoverflow.com/questions/5669322/turn-off-csrf-token-in-rails-3

see u

2012/5/20 Anish [email protected]:

Hi Daniel,
Thanks, I saw this post earlier. but this suggests me to remove csrf
verification - which i dont want to do. Because, thats a security
vulnerability. Attackers can send POST requests from another site for
currently logged in user. Specifically my questions are:

  1. How can i let my iOS app know the rails generated csrf token to use
    it
    in all app calls to server? Is it possible

  2. Is there any other way that I can work around this problem with out
    compromising security?

Thanks,
Anish

I have an existing rails backend website which makes json ajax calls to my
server and I was passing csrf tokens in every ajax call. Now,I am
developing a mobile iOS app to use the same backend and send calls in json.
However, mobile requests are failing with “Can’t verify CSRF token
authenticity”, because i dont know of anyway to send the csrf token to
rails from app.

This isn’t so much a rails question as an iOS programming question.
In addition, a little very simple googling shows everything you need
to know to be able to do this (simple enough that it’s obvious you
didn’t even try).

Check out

http://stackoverflow.com/questions/3047563/rails-3-authenticity-token

to see how the token is sent to a browser. You can probably just use:

<%= form_authenticity_token %>

to set the value of the token in your initial response to the iOS
app. A quick test shows that AJAX requests to the server include the
token as a custom header in the request.

To learn how to set a custom http header in your iOS app, see:

http://stackoverflow.com/questions/1532206/changing-the-useragent-of-nsurlconnection

Jim

that is straight forward: just copy the form_authenticity_token to a
header
field and let your app send it back as header

https://github.com/mkristian/ixtlan-translations/blob/master/app/controllers/local_controller.rb

that is the controller I use as base for my controllers talking to
rest-clients (GWT applications)

  • Kristian

Hey Jim, don’t be a jerk, especially when your answer is wrong.

Using <%= form_authenticity_token %> doesn’t work because you don’t have
a server to dynamically insert content into html as an app is static and
packaged on the client device (iPhone/iPad).

CSRF should not be a possible attack inside of an app. Your session is
isolated to the app and cross domain origin policies in the browser will
prevent the attack. Also, since you are using an app you can implement
sessions without the use of cookies entirely.

On Sunday, 20 May 2012 19:26:08 UTC-4, Anish wrote:

uses json calls and that leaves my site open for attacks.

My question is:

  1. How can i let my iOS app know the rails generated csrf token to use it
    in all app calls to server? Is it possible

  2. Is there any other way that I can work around this problem?

Since this thread has been revived, it seems reasonable to mention that
you
may not want to use session state in your API at all - some HTTP clients
may not support it out-of-the-box, etc. Oauth or Oauth2 is a possible
alternative - there are some very slick gems to help with this
(devise_oauth2_providable, among others).

–Matt J.

This forum is not affiliated to the Ruby language, Ruby on Rails framework, nor any Ruby applications discussed here.

| Privacy Policy | Terms of Service | Remote Ruby Jobs