Reading about how protect_from_forgery works, I came across multiple articles such as this one which explains that the authenticity_token is bound to the user's session. All clear so far. But a question came up, how does protect_from_forgery work with login forms since it's supposed there isn't a user's session yet? I'd think protect_from_forgery could be disabled for the sessions#create action but the scenario that @wjordan proposes here makes sense to me, but I can't figure out how it works.
protect_from_forgery and login forms
76 Views Asked by Iván Cortés At
1
There are 1 best solutions below
Related Questions in RUBY-ON-RAILS
- Rails HABTM: Select everything a that a record 'has'
- Best way to make an HABTM association via console
- dynamically create an ical / ics file from a rails model
- Ruby destroy is not working? Or objects still present?
- NoMethodError: undefined method `update_average_rating' for nil:NilClass
- Select results where joined table contains records with an attribute, but without another
- Showing posts only created when boolean was true
- Ruby on rails and HAML - Print a hash with background color
- How can I monitor an endpoint's status with Ruby?
- How to create dynamic pages without form_for helper in Rails?
- Rails 4.2 jQuery loads only after refresh
- "Access Denied" - User's Permissions to S3 Bucket
- ActiveRecord, Rails 4: has_many :through with scoped conditions failure
- Rails - formatting a list of options
- Rails - Ajax do not work properly on production server
Related Questions in AUTHENTICATION
- Access roles from multiple applications
- Different storyboard's entry points depending on a parameter
- SoundCloud Authentication Consistently Returns 401 invalid_grant For Some Users
- sendxmpp not authorized failure (Error AuthSend)
- Retrieve user information from Active Directory on login
- Log in through active directory
- Ember.js REST Auth Headers
- Validate Deezer access token on server
- Why does IIS Anonymous Authentication turn on by itself after I publish my project to server?
- Laravel - session data survives log-out/log-in, even for different users
- How can I share Azure Active Directory authentication between server side and client script?
- django rest framework - token authentication logout
- NameValuePair, HttpParams, HttpConnection Params deprecated on server request class for login app
- How to delete user from _User through Parse REST API
- Cannot login with new SQL User - SQL 2014
Related Questions in SESSION
- Access property of an object of type [Model] in JQuery
- __PHP_Incomplete_Class Object even though class is included before session started
- Safari Extension not geting session Info
- Laravel: Locale Session: Controller gets Parameter to change it but it cant. U have to hardcode it
- Does OPEN SYMMETRIC KEY (SQL Server) remain in scope on a server farm?
- Superagent share session / cookie info with actual browser
- Session Destroyed on page refresh
- MVC Referencing strongly typed session objects on my view
- What is the best way to persist a global array in php?
- Error in indicies while unsetting Sessions
- Server side PHP session is not working in android
- Laravel - session data survives log-out/log-in, even for different users
- The page isn't redirecting properly when I logout
- Session array unset and delete row
- Validating a login using PHP
Related Questions in CSRF
- CSRFProtector PHP library won't submit any form data
- Can I use plone.protect 3.0 with Plone 4.3?
- CORS and CSRF(XSRF)
- XHR2 file upload to subdomain token mismatch in Laravel5.1/nginx upload module
- Laravel X-CSRF-Token mismatch with POSTMAN
- Should all the form's submit work after a valid one submit with CSRF?
- Does an anonymous comment/post form need csrf token? If not why does SO use it and how to implement it?
- How to know if my CSRF is working?
- Csurf invalid csrf token Express / nodejs
- Django CSRF cookie not set error if there is cookie value starting with square brackets '['
- Invalid authentication token after session timeout
- Is Encrypted Token Pattern CSRF protection immune to BREACH attack?
- Verifying that Play's CSRF protection is working
- Would I need CSRF if using JWT?
- Django Rest Framework remove csrf
Related Questions in AUTHENTICITY-TOKEN
- ActionController::InvalidAuthenticityToken in Rails Engine
- How to handle the AuthenticityToken value using a HTTP POST request from a RoR application to another RoR application?
- Why are Rails Authenticity Tokens session persistent and not unique to each submission?
- How can I check in Rails controller if InvalidAuthenticityToken error was raised from session expiry?
- How do I handle iPhone requests to a Ruby on Rails backend?
- Ruby on Rails: Difference of Authenticity Token being in Header or POST
- How can I get a valid Authenticity Token with my Rails Console?
- How to handle Invalid Authenticity Token json request from application controller in rails
- Remove div from authenticity_token in Rails?
- Stress/load testing Ruby on Rails apps with Authenticity Tokens
- How can you use Rails AuthenticityToken infrastructure to explicitly protect a GET action
- Nested attribute doesn't show up attr_accessible
- Authenticity token not changing in rails 3
- protect_from_forgery and login forms
- I am getting an authenticity exception in rails 4 when I submit a form
Trending Questions
- UIImageView Frame Doesn't Reflect Constraints
- Is it possible to use adb commands to click on a view by finding its ID?
- How to create a new web character symbol recognizable by html/javascript?
- Why isn't my CSS3 animation smooth in Google Chrome (but very smooth on other browsers)?
- Heap Gives Page Fault
- Connect ffmpeg to Visual Studio 2008
- Both Object- and ValueAnimator jumps when Duration is set above API LvL 24
- How to avoid default initialization of objects in std::vector?
- second argument of the command line arguments in a format other than char** argv or char* argv[]
- How to improve efficiency of algorithm which generates next lexicographic permutation?
- Navigating to the another actvity app getting crash in android
- How to read the particular message format in android and store in sqlite database?
- Resetting inventory status after order is cancelled
- Efficiently compute powers of X in SSE/AVX
- Insert into an external database using ajax and php : POST 500 (Internal Server Error)
Popular Questions
- How do I undo the most recent local commits in Git?
- How can I remove a specific item from an array in JavaScript?
- How do I delete a Git branch locally and remotely?
- Find all files containing a specific text (string) on Linux?
- How do I revert a Git repository to a previous commit?
- How do I create an HTML button that acts like a link?
- How do I check out a remote Git branch?
- How do I force "git pull" to overwrite local files?
- How do I list all files of a directory?
- How to check whether a string contains a substring in JavaScript?
- How do I redirect to another webpage?
- How can I iterate over rows in a Pandas DataFrame?
- How do I convert a String to an int in Java?
- Does Python have a string 'contains' substring method?
- How do I check if a string contains a specific word?
Users visiting a website do have a session before logging in however it is an unauthenticated session (also referred to as a pre-session). The CSRF is bound to that session. If you are using Devise, once you log in you will get another session. A good explainer on the types of attacks this mitigates is provided here https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html#login-csrf The linked paper within the article has detailed examples which are great!