I have an existing rails backend website which makes json ajax calls to my
server and I was passing csrf tokens in every ajax call. Now,I am
developing a mobile iOS app to use the same backend and send calls in json.
However, mobile requests are failing with "Can't verify CSRF token
authenticity", because i dont know of anyway to send the csrf token to
rails from app.

Looking around, many people are suggesting to disable CSRF protection if
the call is json call - but I dont want to do that because my website all
uses json calls and that leaves my site open for attacks.

My question is:

1) How can i let my iOS app know the rails generated csrf token to use it
in all app calls to server? Is it possible

2) Is there any other way that I can work around this problem?


Thanks,
Anish

--
You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group.
To view this discussion on the web visit https://groups.google.com/d/msg/rubyonrails-talk/-/CDfpubpXzYsJ.
To post to this group, send email to rubyonrails-talk@googlegroups.com.
To unsubscribe from this group, send email to rubyonrails-talk+unsubscribe@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en.

Search Discussions

  • Daniel Shimoyama at May 20, 2012 at 11:57 pm
    Anish,

    Check out this post

    http://stackoverflow.com/questions/5669322/turn-off-csrf-token-in-rails-3

    see u

    2012/5/20 Anish <a4anishm@gmail.com>:
    I have an existing rails backend website which makes json ajax calls to my
    server and I was passing csrf tokens in every ajax call. Now,I am developing
    a mobile iOS app to use the same backend and send calls in json. However,
    mobile requests are failing with "Can't verify CSRF token authenticity",
    because i dont know of anyway to send the csrf token to rails from app.

    Looking around, many people are suggesting to disable CSRF protection if the
    call is json call - but I dont want to do that because my website all uses
    json calls and that leaves my site open for attacks.

    My question is:

    1) How can i let my iOS app know the rails generated csrf token to use it in
    all app calls to server? Is it possible

    2) Is there any other way that I can work around this problem?


    Thanks,
    Anish

    --
    You received this message because you are subscribed to the Google Groups
    "Ruby on Rails: Talk" group.
    To view this discussion on the web visit
    https://groups.google.com/d/msg/rubyonrails-talk/-/CDfpubpXzYsJ.
    To post to this group, send email to rubyonrails-talk@googlegroups.com.
    To unsubscribe from this group, send email to
    rubyonrails-talk+unsubscribe@googlegroups.com.
    For more options, visit this group at
    http://groups.google.com/group/rubyonrails-talk?hl=en.
    --
    You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group.
    To post to this group, send email to rubyonrails-talk@googlegroups.com.
    To unsubscribe from this group, send email to rubyonrails-talk+unsubscribe@googlegroups.com.
    For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en.
  • Anish at May 21, 2012 at 12:14 am
    Hi Daniel,
    Thanks, I saw this post earlier. but this suggests me to remove csrf
    verification - which i dont want to do. Because, thats a security
    vulnerability. Attackers can send POST requests from another site for
    currently logged in user. Specifically my questions are:

    1) How can i let my iOS app know the rails generated csrf token to use it
    in all app calls to server? Is it possible

    2) Is there any other way that I can work around this problem with out
    compromising security?

    Thanks,
    Anish
    On Sunday, May 20, 2012 4:57:02 PM UTC-7, ShimoyamaDaniel wrote:

    Anish,

    Check out this post

    http://stackoverflow.com/questions/5669322/turn-off-csrf-token-in-rails-3

    see u

    2012/5/20 Anish
    I have an existing rails backend website which makes json ajax calls to my
    server and I was passing csrf tokens in every ajax call. Now,I am
    developing
    a mobile iOS app to use the same backend and send calls in json. However,
    mobile requests are failing with "Can't verify CSRF token authenticity",
    because i dont know of anyway to send the csrf token to rails from app.

    Looking around, many people are suggesting to disable CSRF protection if the
    call is json call - but I dont want to do that because my website all uses
    json calls and that leaves my site open for attacks.

    My question is:

    1) How can i let my iOS app know the rails generated csrf token to use it in
    all app calls to server? Is it possible

    2) Is there any other way that I can work around this problem?


    Thanks,
    Anish

    --
    You received this message because you are subscribed to the Google Groups
    "Ruby on Rails: Talk" group.
    To view this discussion on the web visit
    https://groups.google.com/d/msg/rubyonrails-talk/-/CDfpubpXzYsJ.
    To post to this group, send email to rubyonrails-talk@googlegroups.com.
    To unsubscribe from this group, send email to
    rubyonrails-talk+unsubscribe@googlegroups.com.
    For more options, visit this group at
    http://groups.google.com/group/rubyonrails-talk?hl=en.
    --
    You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group.
    To view this discussion on the web visit https://groups.google.com/d/msg/rubyonrails-talk/-/LhLtZ_Nts0YJ.
    To post to this group, send email to rubyonrails-talk@googlegroups.com.
    To unsubscribe from this group, send email to rubyonrails-talk+unsubscribe@googlegroups.com.
    For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en.
  • Jim at May 21, 2012 at 2:42 pm

    I have an existing rails backend website which makes json ajax calls to my
    server and I was passing csrf tokens in every ajax call. Now,I am
    developing a mobile iOS app to use the same backend and send calls in json.
    However, mobile requests are failing with "Can't verify CSRF token
    authenticity", because i dont know of anyway to send the csrf token to
    rails from app.
    This isn't so much a rails question as an iOS programming question.
    In addition, a little very simple googling shows everything you need
    to know to be able to do this (simple enough that it's obvious you
    didn't even try).

    Check out

    http://stackoverflow.com/questions/3047563/rails-3-authenticity-token

    to see how the token is sent to a browser. You can probably just use:

    <%= form_authenticity_token %>

    to set the value of the token in your initial response to the iOS
    app. A quick test shows that AJAX requests to the server include the
    token as a custom header in the request.

    To learn how to set a custom http header in your iOS app, see:

    http://stackoverflow.com/questions/1532206/changing-the-useragent-of-nsurlconnection

    Jim

    --
    You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group.
    To post to this group, send email to rubyonrails-talk@googlegroups.com.
    To unsubscribe from this group, send email to rubyonrails-talk+unsubscribe@googlegroups.com.
    For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en.
  • Keith L. at Dec 29, 2012 at 7:59 am
    Hey Jim, don't be a jerk, especially when your answer is wrong.

    Using <%= form_authenticity_token %> doesn't work because you don't have
    a server to dynamically insert content into html as an app is static and
    packaged on the client device (iPhone/iPad).

    CSRF should not be a possible attack inside of an app. Your session is
    isolated to the app and cross domain origin policies in the browser will
    prevent the attack. Also, since you are using an app you can implement
    sessions without the use of cookies entirely.

    --
    Posted via http://www.ruby-forum.com/.

    --
    You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group.
    To post to this group, send email to rubyonrails-talk@googlegroups.com.
    To unsubscribe from this group, send email to rubyonrails-talk+unsubscribe@googlegroups.com.
    For more options, visit https://groups.google.com/groups/opt_out.
  • Mkristian at Dec 29, 2012 at 9:47 am
    that is straight forward: just copy the form_authenticity_token to a header
    field and let your app send it back as header

    https://github.com/mkristian/ixtlan-translations/blob/master/app/controllers/local_controller.rb

    that is the controller I use as base for my controllers talking to
    rest-clients (GWT applications)

    - Kristian

    --
    You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group.
    To post to this group, send email to rubyonrails-talk@googlegroups.com.
    To unsubscribe from this group, send email to rubyonrails-talk+unsubscribe@googlegroups.com.
    To view this discussion on the web visit https://groups.google.com/d/msg/rubyonrails-talk/-/PAz1kFJmPz4J.
    For more options, visit https://groups.google.com/groups/opt_out.
  • Matt Jones at Dec 30, 2012 at 2:27 am

    On Sunday, 20 May 2012 19:26:08 UTC-4, Anish wrote:
    I have an existing rails backend website which makes json ajax calls to my
    server and I was passing csrf tokens in every ajax call. Now,I am
    developing a mobile iOS app to use the same backend and send calls in json.
    However, mobile requests are failing with "Can't verify CSRF token
    authenticity", because i dont know of anyway to send the csrf token to
    rails from app.

    Looking around, many people are suggesting to disable CSRF protection if
    the call is json call - but I dont want to do that because my website all
    uses json calls and that leaves my site open for attacks.

    My question is:

    1) How can i let my iOS app know the rails generated csrf token to use it
    in all app calls to server? Is it possible

    2) Is there any other way that I can work around this problem?

    Since this thread has been revived, it seems reasonable to mention that you
    may not want to use session state in your API at all - some HTTP clients
    may not support it out-of-the-box, etc. Oauth or Oauth2 is a possible
    alternative - there are some very slick gems to help with this
    (devise_oauth2_providable, among others).

    --Matt Jones

    --
    You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group.
    To post to this group, send email to rubyonrails-talk@googlegroups.com.
    To unsubscribe from this group, send email to rubyonrails-talk+unsubscribe@googlegroups.com.
    To view this discussion on the web visit https://groups.google.com/d/msg/rubyonrails-talk/-/RdU4jgc9qroJ.
    For more options, visit https://groups.google.com/groups/opt_out.

Related Discussions

Discussion Navigation
viewthread | post
Discussion Overview
grouprubyonrails-talk @
categoriesrubyonrails
postedMay 20, '12 at 11:26p
activeDec 30, '12 at 2:27a
posts7
users6
websiterubyonrails.org
irc#RubyOnRails

People

Translate

site design / logo © 2022 Grokbase