rails csrf token lifetime

Question

hi,

I use Rails request_forgery_protection mechanism to protect my POST actions from CSRF attacks and captcha to protect the GET actions. This way if someone stages a two-phase attack within one session, GET-ting the form with the current token and then POST-ing a forged request with that token, he will eventually be faced with a captcha check.

I'm stuck with that though, because Rails doesn't regenerate the CSRF token until the end of session. That doesn't seem right to me, I'd think the token should be renewed before the next action. I'm wondering maybe I have tweaked something wrong? Is there another way of doing this?

Thanks.

Answer 1

I've not sure if this is a good idea or not, but you can nil out the token yourself on get requests from inside your application controller.

before_filter :reset_csrf


private
def reset_csrf
  session[:_csrf_token] = nil if request.get?
end