views:

61

answers:

2

Hi. I aw working on cross site authentication (some domains have got common authentication). So I want to send authentication data (login, password) to main domain from others.

How should I use protect_from_forgery and how can I check if data received from valid domain?

What I am thinking now is to turn off protect_from_forgery for session controller and check domain name of received data.

But maybe I can configure CSRF protection for not only one domain?

+1  A: 

The protection work with checking the session[:_csrf_token], so if you session is same in all of your domain, the protect_from_forgery can works.

shingara
oh, this is great
fl00r
+1  A: 

What you are purposing is the very definition of a CSRF vulnerability. Forcing the user to Login or log-off generally isn't useful to the attacker. To pull off this hack the attacker would have to know the Username and Password, which defeats the purpose of "Session riding" on another user's authenticated session. As a hardcore hacker that writes CSRF exploits I'm telling you that this isn't a serious problem.

A easy way to patch this is to check the referer and make sure the login request is originating from a whitelist of domains. Another way to patch this is to use a Capthca like reCapthca. Yes you read that right. The reason why this works is because an attacker cannot solve the capthca with javascript or flash to "forge" a valid login request.

Rook