英文:
protect_from_forgery and login forms
问题
阅读关于protect_from_forgery的工作原理时,我发现了多篇文章,比如这篇,它解释了authenticity_token与用户会话绑定。到目前为止一切都清楚。但是出现了一个问题,既然在登录表单中还没有用户会话,那么protect_from_forgery是如何工作的呢?我认为可以在sessions#create操作中禁用protect_from_forgery,但@wjordan在这里提出的情况对我来说有道理,但我无法弄清楚它是如何工作的。
英文:
Reading about how protect_from_forgery works, I came across multiple articles such as this one which explains that the authenticity_token is bound to the user's session. All clear so far. But a question came up, how does protect_from_forgery work with login forms since it's supposed there isn't a user's session yet? I'd think protect_from_forgery could be disabled for the sessions#create action but the scenario that @wjordan proposes here makes sense to me, but I can't figure out how it works.
答案1
得分: 0
以下是翻译好的部分:
"Users visiting a website do have a session before logging in however it is an unauthenticated session (also referred to as a pre-session). The CSRF is bound to that session. If you are using Devise, once you log in you will get another session. A good explainer on the types of attacks this mitigates is provided here https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html#login-csrf The linked paper within the article has detailed examples which are great!"
英文:
Users visiting a website do have a session before logging in however it is an unauthenticated session (also referred to as a pre-session). The CSRF is bound to that session. If you are using Devise, once you log in you will get another session. A good explainer on the types of attacks this mitigates is provided here https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html#login-csrf The linked paper within the article has detailed examples which are great!
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论