sinatra / rack-protection

NOTE: This project has been merged upstream to sinatra/sinatra
https://github.com/sinatra/sinatra/tree/master/rack-protection
818 stars 58 forks source link

Implementation doubt #59

Closed sonoman closed 11 years ago

sonoman commented 11 years ago

Hi there: I have implemented a REST API to be consumed by a html5 application, and i'm using rack::session to track some information about the app. Now, since the html application is servereless, when tries to post some information, rack::protection prevents that operation due to remote_token. So, I've learnt how to work with csrf tokens, but I don't send any html form to the client app to insert any meta tag (with a helper), just json (it's all mvc on client side)....what should I do in that case ? send the token to the client in a HTTP Header (and have the client send the token again in an http header ? or just disable remote_token protection ?

rkh commented 11 years ago

Yes, you could set it in a header. If you don't use sessions, then disabling just remote_token (via except: :remote_token) should be fine. Also, changing the default reaction to drop_session should work, too. We need to improve the docs on this and actually make it easier to use rack-protection standalone (right now quite some config logic for it is in Sinatra).

sonoman commented 11 years ago

Thanks for your advice ;)