Adding note about CSRF protection to README. #448
Conversation
|
|
||
| == CSRF Protection | ||
|
|
||
| Because Authlogic introduces its own methods for storing user sessions, the CSRF (Cross Site Request Forgery) protection that is built into Rails will not work out of the box. |
There was a problem hiding this comment.
@lukeasrodgers wondering if we should emphasize here that it's a user-defined session (eg def current_user_session) so there's no way for Authlogic to know what to reset?
There was a problem hiding this comment.
How about adding this sentence to the above: "No generally applicable mitigation by the authlogic library is possible, because the instance variable you use to store a reference to the user session in def current_user_session will not be known to authlogic."
Open to other suggestions.
lukeasrodgers
force-pushed
the
csrf-protection-docs
branch
from
72a7c1b
to
6362d8e
Compare
|
Was going through my old, stale PRs and noticed this one -- I updated the docs as suggested, and fixed the merge conflict (was due to README.rdoc vs README.md). |
|
I'm not familiar with this particular CSRF issue, but given that Tieg already reviewed this I'm going to merge it. Thanks Luke, sorry for the long delay. |
|
@jaredbeck no problem, cheers. |
Open to other wording, suggestions on basic ways of addressing this issue.
Fixes #310