Rails 3 authenticity token

I’m working on a legacy Rails app. I was told about a few instances where the application is vulnerable to CSRF attacks.
One is a password reset form, I wondered how it could be vulnerable because it has an authenticity token and the accompanying CSRF meta tags. In Chrome I removed the token from the form and submitted, to my surprise it succeeded with no issue at all, the only small indication that something was amiss was a warning in the server log: WARNING: Can't verify CSRF token authenticity. Is this standard behaviour? Shouldn’t the app crash in the dev environment?

This forum is not affiliated to the Ruby language, Ruby on Rails framework, nor any Ruby applications discussed here.

| Privacy Policy | Terms of Service | Remote Ruby Jobs