What happens if the token is missing or wrong depends on the option with
which protect_from_forgery method is called.
In Rails there are three options: Throw an exception, create a new session or clear the current session.
protect_from_forgery with: :null_session(dafault option) Set all values to nil in all cookies, including the session. That means the user wonâ€™t be logged in anymore for that action and canâ€™t perform the change (if the action requires a signed in user).
protect_from_forgery with: :reset_sessionRails set a new cookie with empty session in browser.That means the user wonâ€™t be logged in anymore.
small hackIf user copies old cookie before forgery attack, he can reset user session after attack.
protect_from_forgery with: :exceptionRaises an ActionController::InvalidAuthenticityToken exception.
For a user related rails application
with: :null_session is adviced
We may want to disable CSRF protection for APIs since they are typically designed to be state-less. That is, the request API client will handle the session for you instead of Rails.
Else the nature of your app decides which option is best.
- 13 Nov 2017 Sheet, Comparison of frontend js frameworks.
- 11 Nov 2017 Why is it so hard to develop good software?
- 04 Sep 2017 Is Graphql here to replace REST Api
- 05 Jun 2017 My awesome list of english songs
- 29 May 2017 Troll software intern
- 17 May 2017 What is icon font and why use it over png.
- 16 May 2017 Philosophical difference between ruby and python.
- 15 May 2017 Given an array, find number of subsets with k elements, where absolute difference between the maximum and mininmum element is at most x
- 15 May 2017 Automated testing of google autocomplete using cucumber and capybara
- 15 May 2017 How to manage assets in rails, difference between app, vendor and lib assets, what is asset pipeline?
- 15 May 2017 Swap elements in dom by drag and drop.
- 15 May 2017 What are the options with which protect_with_forgery is called?
- 15 May 2017 How to add csrf in ember app.
- 15 May 2017 Sessions and csrf in rails.
- 15 May 2017 Best practices while using ooor gem for making rpc calls to odoo(openerp) from ruby framework
- 09 May 2017 Integrate paytm payment with rails app
- 08 May 2017 Automated deployment on github pages using jekyll themes.
- 01 May 2017 How to add inline image in gmail.
- 01 May 2017 Undefined method `user_confirmation_path' error with devise rails.