How to allow either a) HTTP authentication without a CSRF + SSL token, or b) a development CSRF token is required?

Question

How to allow either a) HTTP authentication without a CSRF + SSL token, or b) a development CSRF token is required?

I have a Rails 3 application configured with user registration using a program running on the server. I allow users to access the server through the website, and also allow users to create accounts and log in using the Iphone application.

When people use the Iphone app, I would like to support these two actions:

a) Registration for an account without CSRF (does this cause any security problems)?

b) Login using http auth, SSL protected

c) Any POST requests to the server after logging in for protection using the HTTP protocol using SSL.

When the user is on the website, I want to use CSRF tokens for all actions (so that the user does not enter a username and password each time).

Thank you for your help.

+3

ruby-on-rails iphone csrf devise

Janice Nov 23 '10 at 14:04

source share

1 answer

Bryan rehbein · Accepted Answer · 2011-01-30T23:05:51+0000

You can selectively disable the CSRF token on the controller or individual action methods.

class StatsController < ApplicationController
  skip_before_filter :verify_authenticity_token
  ...
end

I really want to do something like this, my iPhone will use a different domain name and selectively disable the filter: verify_authenticity_token, based on several conditions. This only holds us back until we can implement our OAUTH2.

How to allow either a) HTTP authentication without a CSRF + SSL token, or b) a development CSRF token is required?

More articles: