Is it possible CookieStore config not working correctly?

StackOverflow https://stackoverflow.com/questions/19732735

Even if I configure CookieStore with:

MyApp::Application.config.session_store :cookie_store, {
  key: '_myapp_session',
  cookie_only: false,
  httponly: false
}

and I make a POST request with

  • _myapp_session = #SOME_SESSION_ID
  • and authenticity_token = #AUTH_TOKEN
  • and http-header[X-CSRF-Token] set to #AUTH_TOKEN

finally the user is not authenticated, and new session is created with new AUTH_TOKEN and session id.

Can anybody give me some suggestions ?

有帮助吗?

解决方案

Unfortunately there is NO SUPPORT for this option in current 4.0 branch. Although this option is forced to TRUE and I didn't find any code in rails sources using this option.

The way to make isolated POST's requests working is to create dedicated middleware, which will add appropriate session cookie. It must be inserted in the apropriate place, because middleware's order is significant.

Because it is very dangerous in CSRF security aspect, we must add to our middleware same verification, which will limit potential risk to minimum.

许可以下: CC-BY-SA归因
不隶属于 StackOverflow
scroll top