I use Rails request_forgery_protection mechanism to protect my POST actions from CSRF attacks and

Question

0

Asked: May 17, 20262026-05-17T23:16:26+00:00 2026-05-17T23:16:26+00:00

I use Rails request_forgery_protection mechanism to protect my POST actions from CSRF attacks and

0

I use Rails request_forgery_protection mechanism to protect my POST actions from CSRF attacks and captcha to protect the GET actions. This way if someone stages a two-phase attack within one session, GET-ting the form with the current token and then POST-ing a forged request with that token, he will eventually be faced with a captcha check.

I’m stuck with that though, because Rails doesn’t regenerate the CSRF token until the end of session. That doesn’t seem right to me, I’d think the token should be renewed before the next action. I’m wondering maybe I have tweaked something wrong? Is there another way of doing this?

Thanks.

Report

Leave an answer
Cancel reply

You must login to add an answer.

Need An Account,

1 Answer

Editorial Team · Answer 1 · 2026-05-17T23:16:26+00:00

Editorial Team

2026-05-17T23:16:26+00:00Added an answer on May 17, 2026 at 11:16 pm

In case form token is NOT regenerated for each page request, this protection is bad. I faced it sometime ago (when testing Redmine, which is RoR-based) and reported this issue, but didn’t retested it.

If it’s still not regenerated, I suggest you report this to RoR team.

0

Reply
Share
Share

- Report

Sign Up

Sign In

Forgot Password

The Archive Base Latest Questions

I use Rails request_forgery_protection mechanism to protect my POST actions from CSRF attacks and

Leave an answerCancel reply

1 Answer

Leave an answer
Cancel reply