secure_action is a ruby on rails plugin which makes it easy to defend your site against assumed logged in attacks, also called CSRF attacks.

In an assumed logged in attack, a malicious site assumes the visitor is logged into a target site. The malicious site crafts a URL to a destructive action on the target site (change email, delete account, etc) and opens the URL to that action in a hidden iframe. The browser then sends the user's cookies and actions may be performed on their behalf without them ever knowing. This technique may be used to steal accounts, or perform other malicious actions to sites which allow users to log in.

This plugin prevents these attacks by signing forms and URLs for specified actions with the user's session_id. By signing with the session_id, your site can be sure that the user of the browser generated the form or URL submitted. Signatures are verified before secure actions are executed.

To install, check out the code in your RAILS_ROOT/vendor/plugins/ directory and follow the instructions in the README. 0.1 version of the plugin requires Rails >= 1.2

svn checkout http://secure-action-plugin.googlecode.com/svn/trunk/ secure-action-plugin

Author: Brian Ellin, brian at janrain.com Copyright: 2006, JanRain Inc.