Dave, Unfortunately I've actually not yet used Rack::Csrf with Camping.
In Sinatra, I just: use Rack::Session::Cookie, :secret => "something" use Rack::Csrf and it works fine. Looking at Camping's source for Camping::Session, it looks like it's basically doing the same (http://github.com/camping/camping/blob/master/lib/camping/session.rb#L32). The csrf_token shouldn't be changing every time, as Rack::Csrf is storing it in your session. Can you verify that "rack.session" is present in your session. Ted On Wed, Aug 11, 2010 at 2:33 PM, David Susco <dsu...@gmail.com> wrote: > Ted, > > Do you use Camping::Session with Rack::Csrf? If so, how did you get it > to work? Once I include Camping::Session the csrf_token changes every > time I call the method. > > Can anyone explain what include Camping::Session is actually doing? > > Dave > > On Mon, Aug 9, 2010 at 12:22 PM, Ted Kimble <t...@tedkimble.com> wrote: >> For cross-site request forgery protection I've simply used the >> Rack::Csrf middleware before (http://github.com/baldowl/rack_csrf). >> The github page is pretty self explanatory. >> >> For Haml, you should just be able to set its :escape_html option to >> true and then >> >> %p= @something_nasty >> >> will be escaped by default. See: >> >> http://haml-lang.com/docs/yardoc/file.HAML_REFERENCE.html#escape_html-option >> >> for more info. >> >> Best, >> Ted >> >> On Mon, Aug 9, 2010 at 9:15 AM, David Susco <dsu...@gmail.com> wrote: >>> Hey guys, >>> >>> What do people do to protect against cross-site request forgery? To >>> mimic what rails does I was thinking of creating a unique key for each >>> session, and then in my logged_in? helper checking if the key passed >>> by the user matches the one I set in the session. >>> >>> On the second question, I'm using Tilt with Haml templates. Any idea >>> how I can set Haml's :escape_html option so each template escapes all >>> HTML within variables? >>> >>> -- >>> Dave >>> _______________________________________________ >>> Camping-list mailing list >>> Camping-list@rubyforge.org >>> http://rubyforge.org/mailman/listinfo/camping-list >>> >> _______________________________________________ >> Camping-list mailing list >> Camping-list@rubyforge.org >> http://rubyforge.org/mailman/listinfo/camping-list >> > > > > -- > Dave > _______________________________________________ > Camping-list mailing list > Camping-list@rubyforge.org > http://rubyforge.org/mailman/listinfo/camping-list > _______________________________________________ Camping-list mailing list Camping-list@rubyforge.org http://rubyforge.org/mailman/listinfo/camping-list
