user65663
Reputation:
In Rails, do you need to use form_authenticity_token if you're already checking if a user is logged in?
Because form_authenticity_token is used to validate requests, is it redundant to use it when you're already checking whether a user is logged in?
I.e., is form_authenticity_token really intended only for forms which are available to anyone, as opposed to forms exclusively for logged-in users?
Upvotes: 1
Views: 1799
Answers (2)
Mihai A
Reputation: 1473
No because in CSRF attacks requests are sent by the client's browser which is authenticated and may delete his data.
Read the Ruby on Rails Security Guide section about CSRF.
Upvotes: 0
jdl
Reputation: 17790
Being logged in would make an XSRF attack worse, because then it could actually damage real data. Check these out as a starting point.
Cross-Site Request Forgeries and You
Upvotes: 2
Related Questions
- Understanding the Rails Authenticity Token
- Rails authenticity_token on a form vs csrf token
- rails 6 token authentication still needed?
- What's the difference between protect_from_forgery and verify_authenticity_token in Rails?
- How to use the `authenticate_or_request_with_http_token` method
- Rails 4 Authenticity Token
- Rails validation vs authorization
- Do Ruby on Rails 3 Jquery AJAX POST requests need the authenticity_token?
- Rails 3 Authenticity Token
- When to skip verify_authenticity_token