How secure are hidden authenticity tokens in twitter's oauth clients' web UI ?

Question

Assuming that you already have created an oauth client app in twitter, you can go to http://twitter.com/apps to manage them. When I viewed the source of the HTML pages, I see that they use a hidden form parameter called an authenticity token in their form definitions.

<form method="post" id="sign_out_form" action="/sessions/destroy" style="display:none;"> 
<input name="authenticity_token" value="18c9957agd7ysdjgsgd87sgdjs" 
  type="hidden"/> 
</form>

<form action="/oauth_clients/regenerate_keys/299120" id="regenerate_keys_form" 
 method="post" style="float: right;">  
<input name="authenticity_token" type="hidden" 
 value="18c9957agd7ysdjgsgd87sgdjs" />
 <input type="submit" id="regenerate_keys" value="Reset Consumer Key/Secret"     
class="btn"/> 
</form> 

Given that the whole web page is accessed via SSL, what is the basis for these authenticity tokens? They never change; thus they are not nonces. Can someone enlighten me on their utility ?

Answer 1

That's a standard feature of Rails (which Twitter's front-end is written in). The authenticity token is a random string generated per session, and is used to guard against CSRF attacks. You can read more about the attack vector and why Rails uses the authenticity token on the Rails Security Guide. An app being served fully under SSL wouldn't prevent a CSRF attack; the purpose is simply to ensure that when a POST/PUT/DELETE is made to a resource, it is done so from a form generated by the application, and which has been seen in some form by the user.