Is it possible CookieStore config not working correctly?

StackOverflow https://stackoverflow.com/questions/19732735

Frage

Even if I configure CookieStore with:

MyApp::Application.config.session_store :cookie_store, {
  key: '_myapp_session',
  cookie_only: false,
  httponly: false
}

and I make a POST request with

  • _myapp_session = #SOME_SESSION_ID
  • and authenticity_token = #AUTH_TOKEN
  • and http-header[X-CSRF-Token] set to #AUTH_TOKEN

finally the user is not authenticated, and new session is created with new AUTH_TOKEN and session id.

Can anybody give me some suggestions ?

War es hilfreich?

Lösung

Unfortunately there is NO SUPPORT for this option in current 4.0 branch. Although this option is forced to TRUE and I didn't find any code in rails sources using this option.

The way to make isolated POST's requests working is to create dedicated middleware, which will add appropriate session cookie. It must be inserted in the apropriate place, because middleware's order is significant.

Because it is very dangerous in CSRF security aspect, we must add to our middleware same verification, which will limit potential risk to minimum.

Lizenziert unter: CC-BY-SA mit Zuschreibung
Nicht verbunden mit StackOverflow
scroll top