On 19.9.2008, at 7.48, pankaj wrote: > Also from a third party website, one can request a page that has a > form, parse that page and get the authenticity_token, > then construct a post request with this authenticity_token.
Also, to get back to your statement above... Yes, a third party website can do that but *it won't have an existing session available*. So even if it is intelligent enough to work with session cookies, it will get a brand-new, unauthenticated session. Thus it shouldn't be able to do anything dangerous. However, the idea of CSRF is that a user *already logged in* will be tricked to post to the site from a third-party page without knowing about it, thus bypassing the authentication. And this is what authenticity_token prevents, because the third party can't possibly know the authenticity token for the specific user session and can't load the page holding the form on-the-fly to grab the token because of the same-origin policy. //jarkko -- Jarkko Laine http://jlaine.net http://dotherightthing.com http://www.railsecommerce.com http://odesign.fi --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Core" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/rubyonrails-core?hl=en -~----------~----~----~----~------~----~------~--~---
