Brian Morearty
2014-May-03 20:39 UTC
Putting form_authenticity_token (csrf token) in a cookie instead of in meta tags?
When you generate a default Rails app, it puts this in application.html.erb: <%= csrf_meta_tags %> It does this so the remote forms can be submitted--i.e., so JavaScript can submit a form. When jquery-rails is about to submit a form, it looks for the <meta> tags named "csrf-param" and "csrf-token" and from them it constructs a hidden "authenticity_token" param from it. It gets inserted in with the POST data so Rails will accept the request. I would like to be able to serve identical HTML content for all users, so the page can be cached on Varnish or a CDN or whatever. Since the form_authenticity_token is different for every session, leaving csrf_meta_tags in the header makes it impossible for a proxy to cache the page. I have an idea for how to fix it but thought I would ask here, to see if people think there would be problems with it: I could create an after_action in ApplicationController that looks like this: after_action :set_authenticity_cookie def set_authenticity_cookie cookies[:form_authenticity_token] = form_authenticity_token ifform_authenticity_token end So basically send the form_authenticity_token to the browser in a cookie instead of putting it in the HTML. Client-side, I could write a little JavaScript that pulls it out of the cookie and dynamically creates the meta tags that jquery-rails is expecting. * Questions: * 1. Does this expose me to any security problems? 2. Is there any reason this wouldn't work? Thanks, Brian -- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To unsubscribe from this group and stop receiving emails from it, send an email to rubyonrails-talk+unsubscribe-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org To view this discussion on the web visit https://groups.google.com/d/msgid/rubyonrails-talk/5f91b320-d00e-4afe-a64a-4c56591727b9%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Possibly Parallel Threads
- Error with flash and form_authenticity_token in new rails application with scaffolding
- Upload form with uploadify jquery plugin
- form_tag and form_for cause #protect_from_forgery errors
- active_record_store sessions does not pass a :secret to #protect_from_forgery in Rails 2.0.0 Preview
- undefined method `^' for "e":String
Wisdom of the Ancients
