Skip to content

CSRF protection should rescue exception not extend #14786

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
Apr 17, 2014
Merged

CSRF protection should rescue exception not extend #14786

merged 2 commits into from
Apr 17, 2014

Conversation

@PaulL1
Copy link
Contributor

@PaulL1 PaulL1 commented Apr 17, 2014

I think the changes to the default behaviour mean that rails will throw an exception when an invalid authenticity token is found. The previous proposed code of calling super then sign_out meant that sign_out was never reached - the exception handler never returned.

I think the best approach now is to catch the exception, although I'm not 100% certain on that. I've handled this by proposing the documentation change, rather than just asking the question - feel free to reject if this isn't the right solution.

@PaulL1
CSRF protection should rescue exception not extend
92fd44b 
I think the changes to the default behaviour mean that rails will throw an exception when an invalid authenticity token is found.  The previous proposed code of calling super then sign_out meant that sign_out was never reached - the exception handler never returned.

I think the best approach now is to catch the exception, although I'm not 100% certain on that.
@rafaelfranca
Copy link
Member

rafaelfranca commented Apr 17, 2014

Guides should mention what is correct with the default behavior. If it is exception we should change it.

@rafaelfranca
Copy link
Member

rafaelfranca commented Apr 17, 2014

But in this case the code before it is not using the exception option. I think we should change the guides to use the new Rails default.

@PaulL1
Include default rails protect_from_forgery with: :exception
d315275 
Extend previous changes, include the default line from the application controller that new rails applications are created with: 
  protect_from_forgery with: :exception

Minor wording changes to align.
@PaulL1
Copy link
Contributor Author

PaulL1 commented Apr 17, 2014

Agree. Extended to align with your suggestion.

@PaulL1
Copy link
Contributor Author

PaulL1 commented Apr 17, 2014

On a related matter, the security guide makes no mention of setting encrypted_cookie_salt or encrypted_signed_cookie_salt to values other than the default. It seems likely that this would be a good idea (there seems little point having a salt with a known value), but I haven't seen anything anywhere on the web that recommends it. Is this an oversight?

@rafaelfranca
Copy link
Member

rafaelfranca commented Apr 17, 2014

salt can be a known value without problem. But if you want to have be extra cautious you can set. I think we don't need to recommend changing it on the guide.

rafaelfranca added a commit that referenced this pull request Apr 17, 2014
@rafaelfranca
Merge pull request #14786 from PaulL1/patch-1
a3fd6e7 
CSRF protection should rescue exception not extend
@rafaelfranca rafaelfranca merged commit a3fd6e7 into rails:master Apr 17, 2014
@PaulL1 PaulL1 deleted the patch-1 branch April 17, 2014 23:06
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

docs

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@PaulL1 @rafaelfranca