I know this is some serious thread necromancy, and I apologize for that. Google shows this result prominently for this subject.
How is this a security flaw? Login only succeeds if the credentials are > correct. If someone has credientials, they can login to the site, and I > don't see what role forged cross-site requests play in this case. > It is a security flaw because an attacker can force a user to login with credentials under his control, and use that to attempt to get a user to give up some form of sensitive information. It's pretty far-fetched, but not completely inconceivable. -- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Core" group. To unsubscribe from this group and stop receiving emails from it, send an email to rubyonrails-core+unsubscr...@googlegroups.com. To post to this group, send email to rubyonrails-core@googlegroups.com. Visit this group at http://groups.google.com/group/rubyonrails-core. For more options, visit https://groups.google.com/d/optout.
