Join the social network of Tech Nerds, increase skill rank, get work, manage projects...
 
  • Understand Rails Authenticity Token

    • 0
    • 1
    • 1
    • 1
    • 0
    • 0
    • 0
    • 0
    • 232
    Comment on it

    What happens when the user views a form in the browser for a resource, rails application creates a random string as a authenticity token and store that random token in the session and when the form generates, it places that token in the form as a hidden variable and when user submits the forms rails looks for that token and compare it with the token that is stored in the session and if both the tokens match the form request will be allowed to continue. And the good thing is attacker does not have the access of the token.The authenticity token is designed just for you so that your form is being submitted from your application only to protect CSRF(Cross-site request forgery) attacks.

    Notes:

    Rails only checks POST, PUT, and DELETE requests. GET requests are not protected because they don't leak sensitive information and things like writing to database.

    Lessons:

    Use authenticity token to protect your POST, PUT, and DELETE requests. Also make sure that GET requests should not modify resources.

    If you want to skip checking the authenticity token at some functions use this

    skip_before_filter :verify_authenticity_token, :only => [:upload_csv]
    

 0 Comment(s)

Sign In
                           OR                           
                           OR                           
Register

Sign up using

                           OR                           
Forgot Password
Fill out the form below and instructions to reset your password will be emailed to you:
Reset Password
Fill out the form below and reset your password: