Forum: Ruby on Rails Page Caching, CSRF, and Loading a form via Ajax

5f842d495e0d63101ce38ea6b24f8949?d=identicon&s=25 Raviv M-G (Guest)
on 2011-08-28 12:01
(Received via mailing list)
Hi all,

I would like to use page caching on my homepage, but also want to
enable people to sign in via a modal dialog sign in form.  I could
have a setup in which when a user lands on the cached homepage, an
Ajax GET request pulls in the whole login form so that there is a
fresh authenticity token.

That said, besides the additional hit to the server, the CSRF token in
the head area of the page could be different (left over in the page
cache from another user).

I'm guessing that loading a form like this through ajax is not
advisable, but since it works and most people hit the site without
signing in, I'm wondring why not just load the form via an ajax get
call?

Thanks,
Raviv
81b61875e41eaa58887543635d556fca?d=identicon&s=25 Frederick Cheung (Guest)
on 2011-08-28 12:14
(Received via mailing list)
On Aug 28, 5:48am, Raviv M-G <ravi...@gmail.com> wrote:
> cache from another user).
>
> I'm guessing that loading a form like this through ajax is not
> advisable, but since it works and most people hit the site without
> signing in, I'm wondring why not just load the form via an ajax get
> call?
>
Well I'm sure that would work, but is there any point to CSRF
protection for a login form?

The aim of the token is to stop an attacker getting an already logged
in use to submit form data unwittingly, but with a login action it
doesn't seem like they can do any harm, since unless the attacker
knows the user's credentials all they are ever going to trigger is a
"bad login please try again" page. On top of that, when the CSRF token
doesn't match up, these days what happens is that your session gets
reset, so that the request gets handled like a non-logged user's
would.

Fred
Please log in before posting. Registration is free and takes only a minute.
Existing account

NEW: Do you have a Google/GoogleMail, Yahoo or Facebook account? No registration required!
Log in with Google account | Log in with Yahoo account | Log in with Facebook account
No account? Register here.