module ActionController module CsrfProtection private def validate_session if params[:session_id_validation] == session.session_id return true else render(:text => SESSION_VALIDATION_FAILED_HTML, :status => "403 Forbidden") return false end end SESSION_VALIDATION_FAILED_HTML = < 403 Forbidden

403 Forbidden

Session validation failed.

EOF end end module ActionView module Helpers module CsrfProtectionHelper def secure_form_tag(*args) return start_form_tag(*args) + "\n" + hidden_field_tag("session_id_validation", session.session_id) end end end end