ArghWebWorks

This might have been solved more elegantly or more securely. But it’s here if you want a place to start.

I have a client using Rails, and they want to log into their site from another site (another domain). The problem is that RoR uses “authentication tokens” for any POST, PUT or DELETE HTTP requests; so any form that does a POST action requires this code. It’s supposed to be a non-predictable code that the server can assign and check for on the return, to make sure the session’s valid. The login form is a POST form. Thus, the site needed an authentication token. Or it needed to ignore that for this other domain.

The solution I came up with was to use a ‘skip_before_filter’ in the sessions_controller.rb file. It looks like this:

skip_before_filter :verify_authenticity_token, :if => Proc.new {|c| c.request.referer =~ /otherdomain/ }


It’s not elegant and could be thwarted by the referrer looking like “http://example.com?attack_vector=otherdomain” but I think by the time someone is hand crafting referer strings or setting up forms, there will be other issues to deal with (firewalls, password strength, et cetera).