I am running into some issues regarding the Authenticity Token in Rails, as I have many times now.
But I really don't want to just solve this problem and go on. I would really like to understand the Authenticity token. Well, my question is, do you have some complete source of information on this subject or would you spend your time to explain in details here?
The authenticity token is designed so that you know your form is being submitted from your website. It is generated from the machine on which it runs with a unique identifier that only your machine can know, thus helping prevent cross-site request forgery attacks.
If you are simply having difficulty with rails denying your AJAX script access, you can use
to generate the correct token when you are creating your form.
You can read more about it in the documentation.
The authenticity token is used to prevent Cross-Site Request Forgery attacks (CSRF). To understand the authenticity token, you must first understand CSRF attacks.
CSRF
Suppose that you are the author of
bank.com
. You have a form on your site that is used to transfer money to a different account with a GET request:A hacker could just send an HTTP request to the server saying
GET /transfer?amount=$1000000&account-to=999999
, right?Wrong. The hackers attack won't work. The server will basically think?
How does the server know this? Because there's no
session_id
cookie authenticating the requester.When you sign in with your username and password, the server sets a
session_id
cookie on your browser. That way, you don't have to authenticate each request with your username and password. When your browser sends thesession_id
cookie, the server knows:A hacker might think:
The users browser has a bunch of cookies set for the
bank.com
domain. Every time the user makes a request to thebank.com
domain, all of the cookies get sent along. Including thesession_id
cookie.So if a hacker could get you to make the GET request that transfers money into his account, he'd be successful. How could he trick you into doing so? With Cross Site Request Forgery.
It's pretty simply, actually. The hacker could just get you to visit his website. On his website, he could have the following image tag:
When the users browser comes across that image tag, it'll be making a GET request to that url. And since the request comes from his browser, it'll send with it all of the cookies associated with
bank.com
. If the user had recently signed in tobank.com
... thesession_id
cookie will be set, and the server will think that the user meant to transfer $1,000,000 to account 999999!That isn't enough. What if someone posts that image to Facebook and it appears on your wall? What if it's injected into a site you're visiting with a XSS attack?
Not true. A form that sends a POST request can be dynamically generated. Here's the example from the Rails Guide on Security:
Authenticity Token
When your
ApplicationController
has this:This:
Is compiled into this:
In particular, the following is generated:
To protect against CSRF attacks, if Rails doesn't see the authenticity token sent along with a request, it won't consider the request safe.
How is an attacker supposed to know what this token is? A different value is generated randomly each time the form is generated:
A Cross Site Scripting (XSS) attack - that's how. But that's a different vulnerability for a different day.
Methods Where
authenticity_token
is requiredWhy It is Required
since
Authenticity Token
is so important, and in Rails 3.0+ you can useto create
anywhere