module ActionController::RequestForgeryProtection

def form_authenticity_param

The form's authenticity parameter. Override to provide your own.

def form_authenticity_param
  params[request_forgery_protection_token]
end

def form_authenticity_token

Sets the token value for the current session.

def form_authenticity_token
  session[:_csrf_token] ||= SecureRandom.base64(32)
end

def handle_unverified_request

By default, \Rails resets the session when it finds an unverified request.
This is the method that defines the application behavior when a request is found to be unverified.

def handle_unverified_request
  reset_session
end

def protect_against_forgery?

def protect_against_forgery?
  allow_forgery_protection
end

def verified_request?

* Does the X-CSRF-Token header match the form_authenticity_token
* Does the form_authenticity_token match the given token value from the params?
* is it a GET request? Gets should be safe and idempotent

Returns true or false if a request is verified. Checks:

def verified_request?
  !protect_against_forgery? || request.get? ||
    form_authenticity_token == params[request_forgery_protection_token] ||
    form_authenticity_token == request.headers['X-CSRF-Token']
end

def verify_authenticity_token

The actual before_filter that is used. Modify this to change how you handle unverified requests.

def verify_authenticity_token
  unless verified_request?
    logger.warn "WARNING: Can't verify CSRF token authenticity" if logger
    handle_unverified_request
  end
end

Modules

Classes