Thanks Pat, Every request within the site has to be done by an authenticated user anyways so the sites partially secure as is. But CSRF attacks work by actually using the users logged in session details, so normal authentication doesn't protect it.
What I'm thinking is that it would at least be a bit safer if I could somehow leave the CSRF protection on for all non XML requests.. This would still leave the method open to attack but would at least reduce the probability of it happening.. am looking into this now. Kind Regards, Lucas -- You received this message because you are subscribed to the Google Groups "Ruby or Rails Oceania" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/rails-oceania?hl=en.
