Message from discussion CSRF tokens for mobile apps
Received: by 10.224.176.193 with SMTP id bf1mr13264280qab.3.1337611389449;
Mon, 21 May 2012 07:43:09 -0700 (PDT)
Received: by 10.229.106.205 with SMTP id y13ls3670915qco.1.gmail; Mon, 21 May
2012 07:42:06 -0700 (PDT)
Received: by 10.224.70.212 with SMTP id e20mr1846447qaj.3.1337611326934; Mon,
21 May 2012 07:42:06 -0700 (PDT)
Authentication-Results: ls.google.com; spf=pass (google.com: domain of
jim...@gmail.com designates internal as permitted sender)
Received: by j25g2000yqn.googlegroups.com with HTTP; Mon, 21 May 2012 07:42:06
Date: Mon, 21 May 2012 07:42:06 -0700 (PDT)
X-HTTP-UserAgent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_4)
AppleWebKit/534.57.2 (KHTML, like Gecko) Version/5.1.7 Safari/534.57.2,gzip(gfe)
Subject: Re: CSRF tokens for mobile apps
From: Jim <jim...@gmail.com>
To: "Ruby on Rails: Talk" <firstname.lastname@example.org>
Content-Type: text/plain; charset=ISO-8859-1
> I have an existing rails backend website which makes json ajax calls to my
> server and I was passing csrf tokens in every ajax call. Now,I am
> developing a mobile iOS app to use the same backend and send calls in json.
> However, mobile requests are failing with "Can't verify CSRF token
> authenticity", because i dont know of anyway to send the csrf token to
> rails from app.
This isn't so much a rails question as an iOS programming question.
In addition, a little very simple googling shows everything you need
to know to be able to do this (simple enough that it's obvious you
didn't even try).
to see how the token is sent to a browser. You can probably just use:
<%= form_authenticity_token %>
to set the value of the token in your initial response to the iOS
app. A quick test shows that AJAX requests to the server include the
token as a custom header in the request.
To learn how to set a custom http header in your iOS app, see: