What happens if the token is missing or wrong depends on the option with
which protect_from_forgery method is called.
In Rails there are three options: Throw an exception, create a new session or clear the current session.
protect_from_forgery with: :null_session(dafault option) Set all values to nil in all cookies, including the session. That means the user wonâ€™t be logged in anymore for that action and canâ€™t perform the change (if the action requires a signed in user).
protect_from_forgery with: :reset_sessionRails set a new cookie with empty session in browser.That means the user wonâ€™t be logged in anymore.
small hackIf user copies old cookie before forgery attack, he can reset user session after attack.
protect_from_forgery with: :exceptionRaises an ActionController::InvalidAuthenticityToken exception.
For a user related rails application
with: :null_session is adviced
We may want to disable CSRF protection for APIs since they are typically designed to be state-less. That is, the request API client will handle the session for you instead of Rails.
Else the nature of your app decides which option is best.
- 03 Feb 2018 Findings with sqlite and different versions of scout python search server
- 22 Dec 2017 Highlight link in side menu on scrolling to the part of the page to which that link belongs
- 22 Dec 2017 How to create sticky left sidebar which sticks on scrolling
- 22 Dec 2017 Adding vertical parallax effect and overlay on banner image
- 22 Dec 2017 Clean way to handle scroll events in emberjs app without blocking task queue and runtime
- 19 Dec 2017 What is the meaning and use of left shift operator
- 19 Dec 2017 Everything you need to learn about mobile first design starting from what is mobile first
- 11 Dec 2017 Emberjs achieve two way binding with native input tag and discard input helper
- 11 Dec 2017 Ember js concatenate all third party js files present under vendor folder to vendor js
- 10 Dec 2017 Stakeholders agree to the requirement and then later on says this does not serve my purpose
- 10 Dec 2017 Sheet comparison of frontend js frameworks
- 11 Nov 2017 Why is it so hard to develop good software
- 04 Sep 2017 Is Graphql here to replace REST Api
- 05 Jun 2017 My awesome list of english songs
- 29 May 2017 Troll software intern
- 17 May 2017 What is icon font and why use it over png.
- 16 May 2017 Philosophical difference between ruby and python.
- 15 May 2017 Given an array, find number of subsets with k elements, where absolute difference between the maximum and mininmum element is at most x
- 15 May 2017 Automated testing of google autocomplete using cucumber and capybara
- 15 May 2017 How to manage assets in rails, difference between app, vendor and lib assets, what is asset pipeline?
- 15 May 2017 Swap elements in dom by drag and drop.
- 15 May 2017 What are the options with which protect_with_forgery is called?
- 15 May 2017 How to add csrf in ember app.
- 15 May 2017 Sessions and csrf in rails.
- 15 May 2017 Best practices while using ooor gem for making rpc calls to odoo(openerp) from ruby framework
- 09 May 2017 Integrate paytm payment with rails app
- 08 May 2017 Automated deployment on github pages using jekyll themes.
- 01 May 2017 How to add inline image in gmail.
- 01 May 2017 Undefined method `user_confirmation_path' error with devise rails.