CSRF Vulnerability!!!

[balexand]

Submit any form on the site without a valid CSRF authenticity_token and it still works. An easy way to reproduce this is to remove the authenticity_token hidden input from a form using your browser's DOM inspector before submitting.

This pull request overrides handle_unverified_request to invalidate cookies[:token].

This same issues affects Episode 274 and probably others too, so you may want to update the show notes.

BTW, I'm a huge fan of Railscasts.

[ryanb]

Thanks for reporting this issue. I wasn't aware of it. Pulled in!

[ryanb]

Note, this change has caused some authentication problems, and I haven't researched a solution yet. If someone knows of a better way to do this please comment here.