Browse files

CSRF protection should rescue exception not extend

I think the changes to the default behaviour mean that rails will throw an exception when an invalid authenticity token is found.  The previous proposed code of calling super then sign_out meant that sign_out was never reached - the exception handler never returned.

I think the best approach now is to catch the exception, although I'm not 100% certain on that.
  • Loading branch information...
1 parent 542457b commit 92fd44b35df65556c8baad565421fd8fd44ee509 @PaulL1 PaulL1 committed Apr 17, 2014
Showing with 2 additions and 3 deletions.
  1. +2 −3 guides/source/security.md
View
5 guides/source/security.md
@@ -250,9 +250,8 @@ This will automatically include a security token in all forms and Ajax requests
It is common to use persistent cookies to store user information, with `cookies.permanent` for example. In this case, the cookies will not be cleared and the out of the box CSRF protection will not be effective. If you are using a different cookie store than the session for this information, you must handle what to do with it yourself:
```ruby
-def handle_unverified_request
- super
- sign_out_user # Example method that will destroy the user cookies.
+rescue_from ActionController::InvalidAuthenticityToken do |exception|
+ sign_out_user # Example method that will destroy the user cookies
end
```

0 comments on commit 92fd44b

Please sign in to comment.