On Sunday, 20 May 2012 19:26:08 UTC-4, Anish wrote: > > I have an existing rails backend website which makes json ajax calls to my > server and I was passing csrf tokens in every ajax call. Now,I am > developing a mobile iOS app to use the same backend and send calls in json. > However, mobile requests are failing with "Can't verify CSRF token > authenticity", because i dont know of anyway to send the csrf token to > rails from app. > > Looking around, many people are suggesting to disable CSRF protection if > the call is json call - but I dont want to do that because my website all > uses json calls and that leaves my site open for attacks. > > My question is: > > 1) How can i let my iOS app know the rails generated csrf token to use it > in all app calls to server? Is it possible > > 2) Is there any other way that I can work around this problem? > > > Since this thread has been revived, it seems reasonable to mention that you may not want to use session state in your API at all - some HTTP clients may not support it out-of-the-box, etc. Oauth or Oauth2 is a possible alternative - there are some very slick gems to help with this (devise_oauth2_providable, among others).
--Matt Jones -- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk@googlegroups.com. To unsubscribe from this group, send email to rubyonrails-talk+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msg/rubyonrails-talk/-/RdU4jgc9qroJ. For more options, visit https://groups.google.com/groups/opt_out.