The Artima Developer Community
Articles | News | Weblogs | Books | Forums
Artima Forums | Articles | Weblogs | Java Answers | News
Sponsored Link

Ruby Buzz Forum
What's New in Edge Rails: Better Cross-Site Request Forging Prevention

0 replies on 1 page.

Welcome Guest
  Sign In

Go back to the topic listing  Back to Topic List Click to reply to this topic  Reply to this Topic Click to search messages in this forum  Search Forum Click for a threaded view of the topic  Threaded View   
Previous Topic   Next Topic
Flat View: This topic has 0 replies on 1 page
rwdaigle

Posts: 312
Nickname: rwdaigle
Registered: Feb, 2003

Ryan is a passionate ruby developer with a strong Java background.
What's New in Edge Rails: Better Cross-Site Request Forging Prevention Posted: Sep 24, 2007 10:16 AM
Reply to this message Reply

This post originated from an RSS feed registered with Ruby Buzz by rwdaigle.
Original Post: What's New in Edge Rails: Better Cross-Site Request Forging Prevention
Feed Title: Ryan's Scraps
Feed URL: http://feeds.feedburner.com/RyansScraps
Feed Description: Ryan Daigle's various technically inclined rants along w/ the "What's new in Edge Rails" series. 		Latest Ruby Buzz Posts
Latest Ruby Buzz Posts by rwdaigle
Latest Posts From Ryan's Scraps

Advertisement

Hot on the heels of the in-depth look at Rails security options comes the addition of the CsrfKiller plugin into rails core.

The CsrfKiller plugin adds a unique session token field to all forms that is checked on every non-GET request. This ensures that the request received is in fact coming from the session of the authorized user (check out wikipedia’s CSRF article if you need more details on the technique).

All you need to do to enable this protection is to add a protect_from_forgery statement in your controller that takes the familiar :except or :only option along with salt to use when generating the unique token:

1
2
3
4
5

class PostsController < ApplicationController

  protect_from_forgery :secret => '2kdjnaLI8', :only => [:update, :delete, :create]
  ...
end

If you’re already using edge Rails’ default cookie session store then you don’t have to specify the :secret key.



protect_from_forgery :only => [:update, :delete, :create]

If you’re not on a cookie session store you can also change the digest method used to generate the unique token (the default is ‘SHA1’).



  protect_from_forgery :secret => '2kaienna9ea90djnaLI8', :digest => 'MD5'

If a request comes in that doesn’t match the request forgery protection token for the current session then an ActionController::InvalidToken exception will be thrown. Perhaps a good place to try out the new exception handling syntax ?

Caveats: The request forgery protection only kicks in in the following scenarios:
  • Non-GET requests, so make sure the only requests that modify state are your PUT/POST/DELETE requests.
  • On html and ajax requests. Override verifiable_request_format? if you want to expand that.

tags: ruby, rubyonrails

Read: What's New in Edge Rails: Better Cross-Site Request Forging Prevention

Topic: Latest book - Magician: Apprentice Previous Topic   Next Topic Topic: Don't get too RESTful
Sponsored Links


Google
  Web Artima.com   

Copyright © 1996-2019 Artima, Inc. All Rights Reserved. - Privacy Policy - Terms of Use