Why are Rails Authenticity Tokens session persistent and not unique to each submission?

707 views Asked by At

I'm wondering why Rails form Authenticity Tokens last the entire session instead of being generated uniquely per each submission.

I'm coming from web2py, where forms are generated with unique one-time tokens called _formkey. The formkey automatically prevents duplicate submissions resulting from double-clicking, back-button caching, etc.

In Rails, you apparently have to deal with the double-submission problem yourself (See https://stackoverflow.com/a/4683161/165673). It seems to me that one-time Authenticity Tokens would solve this problem, as well as being more secure?

1

There are 1 answers

5
lgowin On BEST ANSWER

One token for entire session is easier to implement. Think about a case where you have two opened tabs with forms.

One token for session is as secure as one-time token solution. At least as the protection against CSRF attacks.

In Rails, you apparently have to deal with the double-submission problem yourself

There is out of the box solution for that. Read about disable_with option. Of course all requests that modify data should be sent via HTTP POST, not GET.