In Rails, do you need to use form_authenticity_token if you're already checking if a user is logged in?

Question

Because form_authenticity_token is used to validate requests, is it redundant to use it when you're already checking whether a user is logged in?

I.e., is form_authenticity_token really intended only for forms which are available to anyone, as opposed to forms exclusively for logged-in users?

Answer 1

Being logged in would make an XSRF attack worse, because then it could actually damage real data. Check these out as a starting point.

XSRF in a RESTful Application

Cross-Site Request Forgeries and You

Answer 2

No because in CSRF attacks requests are sent by the client's browser which is authenticated and may delete his data.

Read the Ruby on Rails Security Guide section about CSRF.