How to expire the csrf token? #12

funkyboy · 2016-02-03T08:43:12Z

I was wondering, is there a way to tweak the expiration of the csrf token?
Or even better, generate a new random one for each new request?

funkyboy · 2016-02-03T09:16:34Z

I am trying

before do
  env['rack.session']['csrf.token'] = SecureRandom.urlsafe_base64(32)
end

It works but I am not sure it's the best way and how it impacts on the performance.

baldowl · 2016-02-03T10:18:27Z

I think it's better if in an after filter you remove the key from session; something like (untested):

after do
  env['rack.session'].delete(Rack::Csrf.key)
end

funkyboy · 2016-02-03T10:39:14Z

Ok, but if I remove it, will a new random one be generated and injected?

baldowl · 2016-02-03T10:44:55Z

Nvm, scrap it: it would remove the token before Rack::Csrf had a chance to look at it.

funkyboy · 2016-02-03T10:47:32Z

So far the "before approach" seems to work. It's tricky in the case of Ajax calls that use themetatag so I went with:

  before do
    unless request.xhr?
      env['rack.session']['csrf.token'] = SecureRandom.urlsafe_base64(32)
    end 
  end

Provide feedback