Rails 2.0 now incorporates request forgery protection by default. Actions with methods
other than GET are checked for a valid token. The form helpers have been
extended to add a token based on a secret key and the session to each generated
form. By default, it tries to do the right thing. See the documentation on
ActionController::RequestForgeryProtection::ClassMethods for detailed information.
The most important thing that needs to be done if not using cookie-based sessions is
to set a secret:
class ApplicationController < ActionController::Base
protect_from_forgery :secret => 'application-secret-283o39@4%dX963'
end
If you are using cookie-based session storage, ActionController generates a secret
for you anyway; you may omit the secret parameter. Note that it is important that
the session cookie is a true nonpersistent session cookie??”that is, it disappears after the
session is over. If the session cookie is persistent, the token ID will be the same
each session and CSRF attacks will still be possible.
Canonicalization: What??™s in a Name?
The term canonicalization refers to the process of conforming input to an expected
representation. Loosely, canonicalization issues are problems that arise because the
same resource can be referenced in different ways.
Canonicalization often comes up when working with filesystem paths. On a Unix-like
system, you??™d expect the paths /home/joeuser, ~joeuser, and /var/log/.
Pages:
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225