Hi guys, I haven't actually looked around properly yet (am doing it now..) but thought I'd flick this question over here first anyways and see what you all thought?
I'm upgrading an old behemoth of an application to 2.3.14 at the mo and needed to add in CSRF protection for the entire site. Thing thing is, the majority of the site is web based but about 40% of it also acts as an API returning XML. I've updated my non get/post requests to use the token and the site is working fine via the web but if I try and access it via the existing API, my session data is now destroyed as the API request does not include the token.. Anyone got any ideas on the best way to approach this? So far I've only read people saying to turn it off for the particular methods you want to expose.. which doesn't sound right to me.. Cheers if you can help. Kind Regards, Lucas -- You received this message because you are subscribed to the Google Groups "Ruby or Rails Oceania" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/rails-oceania?hl=en.
