Want more GoRails?

GoRails is packed full with 719 lessons just like this one.

Sign up to get full access or log in to your account and sit back.

Unlock this lesson
Log In

How Cross-Site Request Forgery (CSRF) Works in Ruby on Rails

February 8, 2022

Security
Track your progress

Sign in to track your progress and access subscription-only lessons.

Log In

Your Teacher

Chris Oliver

Hi, I'm Chris. I'm the creator of GoRails, Hatchbox.io and Jumpstart. I spend my time creating tutorials and tools to help Ruby on Rails developers build apps better and faster.

About This Episode

Ever gotten an InvalidAuthentictyToken error in Rails and wondered how CSRF works? In this lesson, we'll learn how it works behind the scenes so you can understand exactly what's going on.

Notes

Resources

Add this code to your ApplicationController to see how Rails compares the CSRF tokens you sent to the CSRF token in your application.

class ApplicationController < ActionController::Base
  protect_from_forgery with: :exception

  before_action do
    p "👋"
    p "real #{real_csrf_token(session)}"
    p "global #{global_csrf_token(session)}"

    request_authenticity_tokens.each do |token|
      next if token.nil?

      decoded_token = decode_csrf_token(token)
      if decoded_token.length == AUTHENTICITY_TOKEN_LENGTH * 2
        p unmask_token(decoded_token)
      else
        p decoded_token
      end
    end
  end
end

Additional Reading:

Want to stay up-to-date with Ruby on Rails?

Join 86,796+ developers who get early access to new tutorials, screencasts, articles, and more.

    We care about the protection of your data. Read our Privacy Policy.