Is it possible CookieStore config not working correctly?

StackOverflow https://stackoverflow.com/questions/19732735

문제

Even if I configure CookieStore with:

MyApp::Application.config.session_store :cookie_store, {
  key: '_myapp_session',
  cookie_only: false,
  httponly: false
}

and I make a POST request with

  • _myapp_session = #SOME_SESSION_ID
  • and authenticity_token = #AUTH_TOKEN
  • and http-header[X-CSRF-Token] set to #AUTH_TOKEN

finally the user is not authenticated, and new session is created with new AUTH_TOKEN and session id.

Can anybody give me some suggestions ?

도움이 되었습니까?

해결책

Unfortunately there is NO SUPPORT for this option in current 4.0 branch. Although this option is forced to TRUE and I didn't find any code in rails sources using this option.

The way to make isolated POST's requests working is to create dedicated middleware, which will add appropriate session cookie. It must be inserted in the apropriate place, because middleware's order is significant.

Because it is very dangerous in CSRF security aspect, we must add to our middleware same verification, which will limit potential risk to minimum.

라이센스 : CC-BY-SA ~와 함께 속성
제휴하지 않습니다 StackOverflow
scroll top