From 9345e9cca241c201443ae1feec08de967851b231 Mon Sep 17 00:00:00 2001 From: Vijay Dev Date: Sun, 20 Feb 2011 01:18:03 +0530 Subject: session is reset on token mismatch --- railties/guides/source/security.textile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'railties/guides/source/security.textile') diff --git a/railties/guides/source/security.textile b/railties/guides/source/security.textile index 7f303c3565..5613156245 100644 --- a/railties/guides/source/security.textile +++ b/railties/guides/source/security.textile @@ -240,7 +240,7 @@ There are many other possibilities, including Ajax to attack the victim in the b protect_from_forgery :secret => "123456789012345678901234567890..." -This will automatically include a security token, calculated from the current session and the server-side secret, in all forms and Ajax requests generated by Rails. You won't need the secret, if you use CookieStorage as session storage. It will raise an ActionController::InvalidAuthenticityToken error, if the security token doesn't match what was expected. +This will automatically include a security token, calculated from the current session and the server-side secret, in all forms and Ajax requests generated by Rails. You won't need the secret, if you use CookieStorage as session storage. If the security token doesn't match what was expected, the session will be reset. *Note:* In Rails versions prior to 3.0.4, this raised an ActionController::InvalidAuthenticityToken error. Note that _(highlight)cross-site scripting (XSS) vulnerabilities bypass all CSRF protections_. XSS gives the attacker access to all elements on a page, so he can read the CSRF security token from a form or directly submit the form. Read more about XSS later. -- cgit v1.2.3