CSRF protection and cross site form access

Posted by fl00r on Stack Overflow See other posts from Stack Overflow or by fl00r
Published on 2010-05-06T10:15:42Z Indexed on 2010/05/06 10:58 UTC
Read the original article Hit count: 282

Filed under:

csrf

|

ruby

|

ruby-on-rails

|

security

|

authentication

Hi. I aw working on cross site authentication (some domains have got common authentication). So I want to send authentication data (login, password) to main domain from others.

How should I use protect_from_forgery and how can I check if data received from valid domain?

What I am thinking now is to turn off protect_from_forgery for session controller and check domain name of received data.

But maybe I can configure CSRF protection for not only one domain?

© Stack Overflow or respective owner

Related posts about csrf

Django CSRF framework cannot be disabled and is breaking my site

as seen on Stack Overflow - Search for 'Stack Overflow'
The django csrf middleware can't be disabled. I've commented it out from my Middleware of my project but my logins are failing due to missing CSRF issues. I'm working from the Django trunk. How can CSRF cause issues if it is not enabled in middleware? I have to disable it because there are lots… >>> More
Make CSRF middleware work in Django's 404 error pages

as seen on Stack Overflow - Search for 'Stack Overflow'
I put a login box alone with a keyword search box in 404.html in a Django project so in case a 404 error is raised, visitors get more options to jump to other parts. But the CSRF middleware doesn't work in 404 error page with no csrf token rendered. I tried move 'django.middleware.csrf.CsrfViewMiddleware'… >>> More
CSRF (Cross-site request forgery) attack example and prevention in PHP

as seen on Stack Overflow - Search for 'Stack Overflow'
I have an website where people can place a vote like this: http://mysite.com/vote/25 This will place a vote on item 25. I want to only make this available for registered users, and only if they want to do this. Now I know when someone is busy on the website, and someone gives them a link like this: http://mysite… >>> More
Having a POST'able API and Django's CSRF Middleware

as seen on Stack Overflow - Search for 'Stack Overflow'
I have a Django webapp that has both a front-end, web-accessible component and an API that is accessed by a desktop client. However, now with the new CSRF middleware component, API requests from the desktop client that are POST'ed get a 403. I understand why this is happening, but what is the proper… >>> More
HtmlUnit to login (post form) to csrf enable website

as seen on Stack Overflow - Search for 'Stack Overflow'
I am posting a form using HTMLUnit webClient by putting the username and password but it could not logging me in. When i research then found out that they have enable csrf on post request so native web browser is required. Is there any way to login (post form) in csrf enable website using HTMLUnit… >>> More

Related posts about ruby

Setting up Rails to work with sqlserver

as seen on Stack Overflow - Search for 'Stack Overflow'
Ok I followed the steps for setting up ruby and rails on my Vista machine and I am having a problem connecting to the database. Contents of database.yml development: adapter: sqlserver database: APPS_SETUP Host: WindowsVT06\SQLEXPRESS Username: se Password: paswd Run rake db:migrate… >>> More
marshal data too short!!!

as seen on Stack Overflow - Search for 'Stack Overflow'
My application requires to keep large data objects in session. There are like 3-4 data objects each created by parsing a csv containing 150 X 20 cells having strings of 3-4 characters. My application shows this error- "marshal data too short". I tried this- Deleting the old session table. Deleting… >>> More
Sinatra and XML POST request

as seen on Stack Overflow - Search for 'Stack Overflow'
I don't know is it my mistake or no. So i have that code: <code> post '/singin/get_token' do content_type :xml puts request.body.read puts xmlRequest xmlRequest = REXML::Document.new(request.body.read) ... </code> And when i post something like that: <code> <?xml… >>> More
how to change ruby path from /usr/bin/ruby to /usr/local/bin/ruby

as seen on Stack Overflow - Search for 'Stack Overflow'
reading around the various ruby install tutorials it's required to change path from /usr/bin/ruby to /usr/local/bin/ruby but i cant seem to be able to do it. Ultimately i want to install Ruby 1.9.2, should i uninstall 1.8.7 or what? i tried to install Ruby 1.9.2 with macports, the installation seemed… >>> More
strange bundler error: tar_input.rb:49:in `initialize': not in gzip format (Zlib::GzipFile::Error) o

as seen on Stack Overflow - Search for 'Stack Overflow'
i am getting a strange bundler error when running bundle pack with bundler 0.9.12 any ideas? (see pastie for a better formatted code: http://pastie.org/881328 ) /opt/ruby-enterprise-1.8.7-2010.01/lib/ruby/site_ruby/1.8/rubygems/package/tar_input.rb:49:in `initialize': not in gzip format (Zlib::GzipFile::Error) … >>> More