Setup XSRF-TOKEN cookie in Rails for angular CSRF protection

[chytreg]

Imho cleaner and more solid solution than set X-CSRF-Token on Angular site (source).

Had some problems with token setting when I run test on poltergeist or capybara-webkit. If you want to use client side more solid solution is to use:

# Inject CSRF Token
angular.element(document).ready () =>
  @app.config ["$httpProvider", (provider) ->
    provider.defaults.headers.common['X-CSRF-Token'] = angular.element('meta[name="csrf-token"]').attr('content')
  ]

or the cookie solution which I prefer.

[jandudulski]

Billion :+1:

[chytreg]

Any objections?

[sheerun]

Yes, security. Storing CSRF token in cookies is vulnerable to session fixation. Fetching it from meta is ok.

[chytreg]

Example or source pls.

Best regards Dariusz Gertych

2013/8/21 Adam Stankiewicz notifications@github.com

Yes, security. Storing CSRF token in cookies is vulnerable to session fixation. Fetching it from meta is ok.

— Reply to this email directly or view it on GitHubhttps://github.com/monterail/guidelines/pull/177#issuecomment-23018386 .

[chytreg]

@sheerun http://stackoverflow.com/questions/4463422/csrf-can-i-use-a-cookie

Best regards Dariusz Gertych

2013/8/21 Dariusz Gertych dariusz.gertych@monterail.com

Example or source pls.

Best regards Dariusz Gertych

2013/8/21 Adam Stankiewicz notifications@github.com

Yes, security. Storing CSRF token in cookies is vulnerable to session fixation. Fetching it from meta is ok.

— Reply to this email directly or view it on GitHubhttps://github.com/monterail/guidelines/pull/177#issuecomment-23018386 .

[chytreg]

Think I found: http://homakov.blogspot.com.es/2013/06/cookie-forcing-protection-made-easy.html :( @teamon @jandudulski

[sheerun]

Yup, exactly.

[chytreg]

Insecure!!!

[jandudulski]

Homakov :heart:

[sheerun]

For the record, nie wiedziałem o tym poście :D