

Security Vulnerability Found in Heroku and Rails form_tag - benmanns
http://www.benmanns.com/posts/security-vulnerability-found-in-heroku-and-rails-form-tag/

======
Ergomane
Why are authenticity tokens not tied to a specific form and the originating
session? Is there a technical reason?

~~~
benmanns
I suppose that you could tie the authenticity token per form, but you would
end up maintaining a list of every token per user per form.

You could use something like HMAC(form id:session id:secret) to validate
forms, but then you run into problems with verification. The central issue is
that tokens are generated in the view, but validated in the controller, so
each controller would have to maintain a list of the forms that are authorized
to POST to it.

------
homakov
nice post bro, are you on twitter?

~~~
benmanns
Yes, at @benmanns.

