On 19.9.2008, at 7.48, pankaj wrote: > Also from a third party website, one can request a page that has a > form, parse that page and get the authenticity_token, > then construct a post request with this authenticity_token.
The authenticity token is there first and foremost to prevent CSRF (http://en.wikipedia.org/wiki/Cross-site_request_forgery , note that CSRF != XSS) and it works very well in that regard, like Court mentions. AFAIK it's not supposed to be an ultimate solution to haxory. It's very hard if not impossible to build protection against all hacks into the framework, it's something the application developer has to take care of. However, like said authenticity_token is a good cure against CSRF and requires zero intervention from you as a developer. //jarkko -- Jarkko Laine http://jlaine.net http://dotherightthing.com http://www.railsecommerce.com http://odesign.fi --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Core" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/rubyonrails-core?hl=en -~----------~----~----~----~------~----~------~--~---
