Skip to content
Browse files

Disable storage on CSRF

  • Loading branch information...
1 parent 4bc2ff9 commit 66716023e4ef7ce483128cff5b2c6c68520a5dbb @josevalim josevalim committed Jun 16, 2012
View
1 lib/devise/controllers/helpers.rb
@@ -255,6 +255,7 @@ def sign_out_and_redirect(resource_or_scope)
def handle_unverified_request
sign_out_all_scopes
warden.clear_strategies_cache!
+ request.env["devise.skip_storage"] = true
expire_devise_cached_variables!
super # call the default behaviour which resets the session
end
View
2 lib/devise/strategies/authenticatable.rb
@@ -9,7 +9,7 @@ class Authenticatable < Base
attr_accessor :authentication_hash, :authentication_type, :password
def store?
- !mapping.to.skip_session_storage.include?(authentication_type)
+ super && !mapping.to.skip_session_storage.include?(authentication_type)
end
def valid?
View
5 lib/devise/strategies/base.rb
@@ -2,6 +2,11 @@ module Devise
module Strategies
# Base strategy for Devise. Responsible for verifying correct scope and mapping.
class Base < ::Warden::Strategies::Base
+ # Whenever CSRF cannot be verified, we turn off any kind of storage
+ def store?
+ !env["devise.skip_storage"]
+ end
+
# Checks if a valid scope was given for devise and find mapping based on this scope.
def mapping
@mapping ||= begin

0 comments on commit 6671602

Please sign in to comment.
Something went wrong with that request. Please try again.