Running ruby 1.9.3 and Rails 3.2.8.

I feel like I'm not fully understanding how CSRF works.

I have `protect_from_forgery` in my ApplicationController.

So, now should all non-GET requests require an authentication token?

Specifically, I have a `destroy`method that doesn't seem to care if a token is present or not.
(I can submit a curl request in terminal, and it doesn't balk.)

Does being in development have something to do with it?

Thanks.

--
You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group.
To post to this group, send email to rubyonrails-talk@googlegroups.com.
To unsubscribe from this group, send email to rubyonrails-talk+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msg/rubyonrails-talk/-/HHn_rlYXHzsJ.
For more options, visit https://groups.google.com/groups/opt_out.

Search Discussions

  • Frederick Cheung at Aug 20, 2012 at 6:54 pm

    On Monday, August 20, 2012 5:47:11 PM UTC+1, Johnny wrote:
    Running ruby 1.9.3 and Rails 3.2.8.

    I feel like I'm not fully understanding how CSRF works.

    I have `protect_from_forgery` in my ApplicationController.

    So, now should all non-GET requests require an authentication token?
    Yes (unless you explicitly skip the before filter that does that
    verification)

    Specifically, I have a `destroy`method that doesn't seem to care if a
    token is present or not.
    (I can submit a curl request in terminal, and it doesn't balk.)
    What happens? The default action when the token is missing or invalid is to
    reset the session (to clear your credentials. there is also a hook for
    libraries like devise to zap their credential storage) and then continue
    processing the request. Given that CSRF is about using a users credentials
    without them knowing it, then if the action didn't require authentication
    in the first place it is considered ok. You can overwrite
    the handle_unverified_request if you want to change this (for example you
    could restore the rails 2.x behaviour which was to raise an exception)


    Does being in development have something to do with it
    No

    Fred

    >

    --
    You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group.
    To post to this group, send email to rubyonrails-talk@googlegroups.com.
    To unsubscribe from this group, send email to rubyonrails-talk+unsubscribe@googlegroups.com.
    To view this discussion on the web visit https://groups.google.com/d/msg/rubyonrails-talk/-/T_RdwIfNAxAJ.
    For more options, visit https://groups.google.com/groups/opt_out.

Related Discussions

Discussion Navigation
viewthread | post
Discussion Overview
grouprubyonrails-talk @
categoriesrubyonrails
postedAug 20, '12 at 6:45p
activeAug 20, '12 at 6:54p
posts2
users2
websiterubyonrails.org
irc#RubyOnRails

2 users in discussion

Johnny: 1 post Frederick Cheung: 1 post

People

Translate

site design / logo © 2022 Grokbase