“protect_from_forgery and login forms” 可翻译为 “防止跨站请求伪造和登录表单”。

huangapple go评论73阅读模式
英文:

protect_from_forgery and login forms

问题

阅读关于protect_from_forgery的工作原理时,我发现了多篇文章,比如这篇,它解释了authenticity_token与用户会话绑定。到目前为止一切都清楚。但是出现了一个问题,既然在登录表单中还没有用户会话,那么protect_from_forgery是如何工作的呢?我认为可以在sessions#create操作中禁用protect_from_forgery,但@wjordan这里提出的情况对我来说有道理,但我无法弄清楚它是如何工作的。

英文:

Reading about how protect_from_forgery works, I came across multiple articles such as this one which explains that the authenticity_token is bound to the user's session. All clear so far. But a question came up, how does protect_from_forgery work with login forms since it's supposed there isn't a user's session yet? I'd think protect_from_forgery could be disabled for the sessions#create action but the scenario that @wjordan proposes here makes sense to me, but I can't figure out how it works.

答案1

得分: 0

以下是翻译好的部分:
"Users visiting a website do have a session before logging in however it is an unauthenticated session (also referred to as a pre-session). The CSRF is bound to that session. If you are using Devise, once you log in you will get another session. A good explainer on the types of attacks this mitigates is provided here https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html#login-csrf The linked paper within the article has detailed examples which are great!"

英文:

Users visiting a website do have a session before logging in however it is an unauthenticated session (also referred to as a pre-session). The CSRF is bound to that session. If you are using Devise, once you log in you will get another session. A good explainer on the types of attacks this mitigates is provided here https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html#login-csrf The linked paper within the article has detailed examples which are great!

huangapple
  • 本文由 发表于 2023年1月6日 10:58:45
  • 转载请务必保留本文链接:https://go.coder-hub.com/75026529.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定