Hi, Plz see inline:
> However you're correct that we need a little more documentation than > we had previously because the attack vectors are a touch trickier. I > intend to post an FAQ blog post and update the guides in a few days to > ensure that it's crystal clear what's required. @Michael: Thanks for all your efforts. Did you get around posting this FAQ blog post, because for me it's not crystal clear at the moment. Specifically: > CSRF attacks are about using *session* data to perform an action > without the user's knowledge. The attack you're describing here, > which doesn't rely on session data, This is our situation, which I'm sure many have: on our homepage we have a login form. Whether this login form has the authentication token or not doesn't matter anymore, login always succeeds. Even with cookies disabled. Previously it would not. Even though +handle_unverified_request+ is called, resetting the session doesn't matter, as it was a new session anyways. Code continues, and login succeeds. In the post at http://weblog.rubyonrails.org/ heading "Upgrade Process", I think the suggestion to simply remove the remember_me cookie isn't enough. Wouldn't this be better advise? : def handle_unverified_request super # call the default behaviour which resets the session redirect_to login_url end Cheers, Jimmy -- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Core" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/rubyonrails-core?hl=en.
