I’m currently implementing a chat application using web sockets, with faye, and when I go to implement their suggested CSRF protection for the pub/sub channel in rails (http://faye.jcoglan.com/security/csrf.html) I will always get an access denied error.
I thought it was weird and upon further inspection, I noticed that the authenticity_token and the csrf_token stored in the session were different and thought that was weird too. After looking at the source code, it encrypted the authenticity token, and that it had to be decoded to get the csrf_token to compare to.
This is a hassle, and I think that the verification should be made public in case somebody wants to do CSRF verification through pub/sub apps like the faye one I showed.
I could be wrong, and there may be another way to do it, but I just thought I would suggest this.
Link to code that I am talking about: https://github.com/rails/rails/blob/e7feaff70f13b56a0507e9f4dfaf3ebc361cb8e6/actionpack/lib/action_controller/metal/request_forgery_protection.rb#L197