"Prevent CSRF" by shugo

Sat, 6 Aug 2005 22:13:00 JST

I could not find any CSRF protection support in Rails 0.13.1. So I did it myself.

At first, I changed ApplicationController and ApplicationHelper.

app/controller/application.rb:

class ApplicationController < ActionController::Base
  private

  def validate_session
    if @params[:session_id_validation] == @session.session_id
      return true
    else
      render(:text => SESSION_VALIDATION_FAILED_HTML,
             :status => "403 Forbidden")
      return false 
    end
  end

  SESSION_VALIDATION_FAILED_HTML = <<EOF
<html>
  <head>
    <title>403 Forbidden</title>
  </head>
  <body>
    <h1>403 Forbidden</h1>
    <p>
      Session validation failed.
    </p>
  </body>
</html>
EOF
end

app/helpers/application_helper.rb:

module ApplicationHelper
  def secure_form_tag(*args)
    return start_form_tag(*args) + "\n" +
      hidden_field_tag("session_id_validation", @session.session_id)
  end
end

Then replaced start_form_tag by secure_form_tag.

app/views/<controller_name>/edit.rhtml:

<h1>Edit</h1>

<%= secure_form_tag :action => 'update', :id => @model_name %>
  <%= render_partial 'form' %>
  <%= submit_tag 'Edit' %>
<%= end_form_tag %>

<%= link_to 'Show', :action => 'show', :id => @model_name %> |
<%= link_to 'Back', :action => 'list' %>

Finally, specified before_filter to each action.

app/controllers/<controllername>controller.rb

class <ControllerName>Controller < ApplicationController
  before_filter :validate_session, :only => [:create, :update, :destroy]

  ...
end

scaffold generates code to destory by GET, so I added a view for confirmation and added a form to destroy by POST.

Shugo's Blog comments on Prevent CSRF

"Prevent CSRF" by shugo