views:

24

answers:

1

Without cookies enabled, a form post will throw ActionController::InvalidAuthenticityToken. For the most part, I just handle the exception with a message stating that cookies are required to login to my application.

However, one thing users of my application can do is create content to be shared with other people, who may or may not be logged in (it is not required). Furthermore, this content can be password protected if the creator chooses to do so. This is where I am running into problems. If it matters, I am using the active_record_store as my session_store, and also have config.action_controller.session set.

If a visitor tries to unlock password protected content without having cookies enabled, the application will throw the exception, and from the visitor's perspective, crash. I would like to be able to handle this situation, but I am not sure how to. I could handle the exception and allow the content to be unlocked without checking the cookie, but if I am doing so I might as well not be protecting the action against CSRF because I'd be opening up a vulnerability anyways, correct? Alternately, I could require cookies to be enabled so that the form can be authenticated, but there really is no reason to otherwise require cookies in this situation.

If I understand correctly, if I disable protection on that action, I will only be exposing unlocking protected content to a CSRF vulnerability, but if cookies are not enabled anyways, would it matter? Is there a way to protect while handling a lack of cookies?

+1  A: 

I don't think it will be a problem to disable it for that action. Forgery protection is only really useful for actions that have some effect on your app's data.

mckeed