New CSRF tokens

Michael_Koziarski1 · November 23, 2008, 2:07pm

Hey guys,

I've just committed a change to the way we generate and use CSRF tokens in rails[1]. Instead of all the stuff involving :secret and session ids, we simply take advantage of ActiveSupport::SecureRandom. This simplifies the tests and code drastically, and shouldn't have any negative impact on security.

Any feedback or reports of breakage greatly appreciated.

Also, thanks to Adam Barth and Colin Jackson of Stanford for taking the time to verify the approach with me.

[1] Change the forgery token implementation to just be a simple random st… · rails/rails@9fdb15e · GitHub

Jeff1 · November 25, 2008, 7:44pm

Awesome. Working fine for me so far.

Jeff

Topic		Replies	Views
CSRF Protection Bypass in Ruby on Rails - I don't get it ... rubyonrails-talk	10	158	February 9, 2011
CSRF Protection Bypass in Ruby on Rails - I don't get it ... rubyonrails-core	2	161	February 11, 2011
CSRF / cached authenticity tokens / ajax requests rubyonrails-talk	2	183	January 25, 2008
Proposal: Authentication via JWT token rubyonrails-core feature	8	223	January 17, 2025
Auto complete plugin and CSRF protection-- do you care? rubyonrails-talk	6	202	December 10, 2007

New CSRF tokens

Related topics

More Resources