RailsTutorial.org & Remember_Tokens

Question

In chapter 8 of the rails tutorial, Michael Hartl introduces the idea of "remember tokens" in order to remember a session even after a browser is closed. He mentions that a session consists of a remember token that points to a user, and this remember token is stored in a user object.

Earlier in the tutorial, we go through a lot of work to hash our passwords so that if our database is breached, our passwords are still safe. However, with the introduction of remember_tokens, a database breach will yield a plain-text remember token, making a session easy to forge.

Perhaps there is some inherent "magic" (as usually seems to be the case) to rails that prevents CSRF even with a proper, valid remember token... can anyone enlighten me?

Answer 1

Just by storing the session token on the client (in cookies) lets you vulnerable to CSRF attacks. In order to make your application secure to this type of attacks in rails you have a helper which adds a CSRF token in the page

<%= csrf_meta_tags %>

and a filter (protect_from_forgery)

  class FooController < ApplicationController
    protect_from_forgery :except => :index

For more about rails security visit: http://guides.rubyonrails.org/security.html

Answer 2

Breaching the database does not yield plain-text remember tokens.
We only save remember token digests to the database. These are hashed just like the passwords early on.