RailsCasts Pro episodes are now free!

Learn more or hide this

Gil Silas's Profile

GitHub User: gilsilas

Comments by Gil Silas


I think it's important to mention that when you set @current_user with cookie instead of session you lose the efficiency of rails CSRF protection.

It's happen because when rails protect_from_forgery method identify CSRF attack it's reset only the session and not the user's cookies.

To fix it you need to override handle_unverified_request()
at MODULE ActionController::RequestForgeryProtection::ClassMethods
and define it to delete auth_token cookie