CSRF tokens for mobile apps - Ruby on Rails: Talk

The old Google Groups will be going away soon, but your browser is incompatible with the new version.

Message from discussion CSRF tokens for mobile apps

MIME-Version: 1.0
Date: Mon, 21 May 2012 07:42:06 -0700 (PDT)
In-Reply-To: <340afc46-f15f-4b7d-8b92-79adb970ed1f@googlegroups.com>
References: <340afc46-f15f-4b7d-8b92-79adb970ed1f@googlegroups.com>
User-Agent: G2/1.0
Message-ID: <6f7d22e8-db20-4cb3-86a9-4c6bb97b3486@j25g2000yqn.googlegroups.com>
Subject: Re: CSRF tokens for mobile apps
From: Jim <jim...@gmail.com>
To: "Ruby on Rails: Talk" <rubyonrails-talk@googlegroups.com>
Content-Type: text/plain; charset=ISO-8859-1

> I have an existing rails backend website which makes json ajax calls to my
> server and I was passing csrf tokens in every ajax call. Now,I am
> developing a mobile iOS app to use the same backend and send calls in json.
> However, mobile requests are failing with "Can't verify CSRF token
> authenticity", because i dont know of anyway to send the csrf token to
> rails from app.

This isn't so much a rails question as an iOS programming question.
In addition, a little very simple googling shows everything you need
to know to be able to do this (simple enough that it's obvious you
didn't even try).

Check out

http://stackoverflow.com/questions/3047563/rails-3-authenticity-token

to see how the token is sent to a browser.  You can probably just use:

<%= form_authenticity_token %>

to set the value of the token in your initial response to the iOS
app.  A quick test shows that AJAX requests to the server include the
token as a custom header in the request.

To learn how to set a custom http header in your iOS app, see:

http://stackoverflow.com/questions/1532206/changing-the-useragent-of-nsurlconnection

Jim

Create a group - Google Groups - Google Home - Terms of Service - Privacy Policy

Account Options