I have a Rails 3 开发者_运维百科website, for which the home page is static content plus a login form. I want to use HTTP caching on this page (we’re on Heroku - behind Varnish), but then the login form's authenticity token is cached which triggers forgery protection and prevents login for all but the first session.
I think my best course of action is to disable forgery protection for this action but first I want to understand the risks involved.
So… what are the risks of disabling forgery protection in this scenario?
Alternatively, is there a better way to solve this problem?
Bad things could happen, theres a reason CSRF is on by default. http://en.wikipedia.org/wiki/Cross-site_request_forgery#Forging_login_requests
![Interactive visualization of a graph in python [closed]](https://www.devze.com/res/2023/04-10/09/92d32fe8c0d22fb96bd6f6e8b7d1f457.gif)
加载中,请稍侯......
精彩评论