On Aug 28, 5:48 am, Raviv M-G <ravi...@gmail.com> wrote: > Hi all, > > I would like to use page caching on my homepage, but also want to > enable people to sign in via a modal dialog sign in form. I could > have a setup in which when a user lands on the cached homepage, an > Ajax GET request pulls in the whole login form so that there is a > fresh authenticity token. > > That said, besides the additional hit to the server, the CSRF token in > the head area of the page could be different (left over in the page > cache from another user). > > I'm guessing that loading a form like this through ajax is not > advisable, but since it works and most people hit the site without > signing in, I'm wondring why not just load the form via an ajax get > call? > Well I'm sure that would work, but is there any point to CSRF protection for a login form?
The aim of the token is to stop an attacker getting an already logged in use to submit form data unwittingly, but with a login action it doesn't seem like they can do any harm, since unless the attacker knows the user's credentials all they are ever going to trigger is a "bad login please try again" page. On top of that, when the CSRF token doesn't match up, these days what happens is that your session gets reset, so that the request gets handled like a non-logged user's would. Fred > Thanks, > Raviv -- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk@googlegroups.com. To unsubscribe from this group, send email to rubyonrails-talk+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en.
