Hey guys, I''ve just committed a change to the way we generate and use CSRF tokens in rails[1]. Instead of all the stuff involving :secret and session ids, we simply take advantage of ActiveSupport::SecureRandom. This simplifies the tests and code drastically, and shouldn''t have any negative impact on security. Any feedback or reports of breakage greatly appreciated. Also, thanks to Adam Barth and Colin Jackson of Stanford for taking the time to verify the approach with me. [1] http://github.com/rails/rails/commit/9fdb15e60f4d4e37916e5354c50d559773bbe014 -- Cheers Koz --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Core" group. To post to this group, send email to rubyonrails-core@googlegroups.com To unsubscribe from this group, send email to rubyonrails-core+unsubscribe@googlegroups.com For more options, visit this group at http://groups.google.com/group/rubyonrails-core?hl=en -~----------~----~----~----~------~----~------~--~---
On Nov 23, 8:07 am, "Michael Koziarski" <mich...@koziarski.com> wrote:> Hey guys, > > I''ve just committed a change to the way we generate and use CSRF > tokens in rails[1]. Instead of all the stuff involving :secret and > session ids, we simply take advantage of ActiveSupport::SecureRandom. > This simplifies the tests and code drastically, and shouldn''t have > any negative impact on security. >Awesome. Working fine for me so far. Jeff --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Core" group. To post to this group, send email to rubyonrails-core@googlegroups.com To unsubscribe from this group, send email to rubyonrails-core+unsubscribe@googlegroups.com For more options, visit this group at http://groups.google.com/group/rubyonrails-core?hl=en -~----------~----~----~----~------~----~------~--~---