Using :get to sign_out may create insecurity
Closed this issue · 2 comments
I ran into an issue described here
Sign in, then out, then back in fails because the csrf token has expired (or something). I noticed you solved this by signing out using :get in your devise.rb initializer. Which is described as being a bad idea here:
http://stackoverflow.com/questions/941594/understand-rails-authenticity-token
I was wondering if you have found a more secure method, as suggested in the SO question?
Overriding and passing a new token each request seems like the best idea. Though, I am still unsure the best way to go about implementing it.
P.S.
Cheers, for this project. It is the best example of how to interact with Devise over json that I could find.
I have not looked into using HTTP DELETE for logging out. I will leave this ticket open and attempt a solution when I get some spare time in the coming weeks.