Rails 3 - How to pass authentication token to client side framework like Sproutcore

Question

I'm looking into developing a Sproutcore client-side webapp with a Rails 3 backend. One of the problems I'm envisioning is having to pass the authentication token along with the communication between Sproutcore and Rails.

When is the CSRF token regenerated? Is it on a per-session basis? Would it be okay to disable the authenticity check for login requests, then pass the authentication token back from the login and store it on the client side for future requests?

Answer 1

You can load the authenticity token whether the user is logged in or not. It's stored with the session and would not change after a user logs in and you don't need to disable the authenticity check. I use this snippet to set a javascript variable:

<%= javascript_tag "var AUTH_TOKEN = #{form_authenticity_token.inspect};" if protect_against_forgery? %>