> The authenticity token is there first and foremost to prevent CSRF > (http://en.wikipedia.org/wiki/Cross- site_request_forgery > , note that CSRF != XSS) and it works very well in that regard, like > Court mentions. AFAIK it's not supposed to be an ultimate solution to > haxory. It's very hard if not impossible to build protection against > all hacks into the framework, it's something the application developer > has to take care of. However, like said authenticity_token is a good > cure against CSRF and requires zero intervention from you as a > developer.
thanks for that CSRF != XSS . If it doesnot provide complete solution, everyone should know about it...so that they donot assume that it is. On Sep 19, 1:00 pm, Jarkko Laine <[EMAIL PROTECTED]> wrote: > Also, to get back to your statement above... Yes, a third party > website can do that but *it won't have an existing session available*. > So even if it is intelligent enough to work with session cookies, it > will get a brand-new, unauthenticated session. Thus it shouldn't be > able to do anything dangerous. Yes i forgot about the session thing..But my original thoughts were related to CSRF.. > However, the idea of CSRF is that a user *already logged in* will be > tricked to post to the site from a third-party page without knowing > about it, thus bypassing the authentication. This i assume is done through some javascript..which finds it way onto the users "logged in" page somehow....and transfers the cookie to the third party site. > And this is what > authenticity_token prevents, because the third party can't possibly > know the authenticity token for the specific user session and can't > load the page holding the form on-the-fly to grab the token because of > the same-origin policy. If the script can transfer the cookie, it can also transfer the authentication_token. So now the 3rd party application has both cookie and the token :). Regards, Pankaj I > //jarkko > > -- > Jarkko > Lainehttp://jlaine.nethttp://dotherightthing.comhttp://www.railsecommerce.comhttp://odesign.fi --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Core" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/rubyonrails-core?hl=en -~----------~----~----~----~------~----~------~--~---
