Please sign in to comment.
Implement :null_session CSRF protection method
It's further work on CSRF after 2459411. The :null_session CSRF protection method provide an empty session during request processing but doesn't reset it completely (as :reset_session does).
- Loading branch information...
Showing with 159 additions and 33 deletions.
- +70 −22 actionpack/lib/action_controller/metal/request_forgery_protection.rb
- +6 −10 actionpack/test/controller/request_forgery_protection_test.rb
- +1 −1 railties/lib/rails/generators/rails/app/templates/app/controllers/application_controller.rb.tt
- +82 −0 railties/test/application/middleware/session_test.rb
|@@ -1,5 +1,5 @@|
|class ApplicationController < ActionController::Base|
|# Prevent CSRF attacks by raising an exception.|
|- # For APIs, you may want to use :reset_session instead.|
|+ # For APIs, you may want to use :null_session instead.|
|protect_from_forgery with: :exception|