Hi all, I would like to use page caching on my homepage, but also want to enable people to sign in via a modal dialog sign in form. I could have a setup in which when a user lands on the cached homepage, an Ajax GET request pulls in the whole login form so that there is a fresh authenticity token. That said, besides the additional hit to the server, the CSRF token in the head area of the page could be different (left over in the page cache from another user). I''m guessing that loading a form like this through ajax is not advisable, but since it works and most people hit the site without signing in, I''m wondring why not just load the form via an ajax get call? Thanks, Raviv -- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk+unsubscribe-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en.
Frederick Cheung
2011-Aug-28 10:12 UTC
Re: Page Caching, CSRF, and Loading a form via Ajax
On Aug 28, 5:48 am, Raviv M-G <ravi...-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> wrote:> Hi all, > > I would like to use page caching on my homepage, but also want to > enable people to sign in via a modal dialog sign in form. I could > have a setup in which when a user lands on the cached homepage, an > Ajax GET request pulls in the whole login form so that there is a > fresh authenticity token. > > That said, besides the additional hit to the server, the CSRF token in > the head area of the page could be different (left over in the page > cache from another user). > > I''m guessing that loading a form like this through ajax is not > advisable, but since it works and most people hit the site without > signing in, I''m wondring why not just load the form via an ajax get > call? >Well I''m sure that would work, but is there any point to CSRF protection for a login form? The aim of the token is to stop an attacker getting an already logged in use to submit form data unwittingly, but with a login action it doesn''t seem like they can do any harm, since unless the attacker knows the user''s credentials all they are ever going to trigger is a "bad login please try again" page. On top of that, when the CSRF token doesn''t match up, these days what happens is that your session gets reset, so that the request gets handled like a non-logged user''s would. Fred> Thanks, > Raviv-- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en.
Apparently Analagous Threads
- CSRF Protection Bypass in Ruby on Rails - I don't get it ...
- CSRF / cached authenticity tokens / ajax requests
- rspec-rails how to selectively turn on csrf protection for controller specs?
- CSRF resets my session in Firefox
- Security problems with CookieStore and CSRF protection