Module: ActionController::RequestForgeryProtection

There's no documentation for this item.

Modules
ClassMethods	Protecting controller actions from CSRF attacks by ensuring that all forms are coming from the current web application, not a forged link from another site, is done by embedding a token based on the session (which an attacker wouldn’t know) in all forms and Ajax requests generated by Rails and then verifying the authenticity of that token in the controller. Only HTML/JavaScript requests are checked, so this will not protect your XML API (presumably you’ll have a different authentication scheme there anyway). Also, GET requests are not protected as these should be indempotent anyway.

Modules

Protecting controller actions from CSRF attacks by ensuring that all forms are coming from the current web application, not a forged link from another site, is done by embedding a token based on the session (which an attacker wouldn’t know) in all forms and Ajax requests generated by Rails and then verifying the authenticity of that token in the controller. Only HTML/JavaScript requests are checked, so this will not protect your XML API (presumably you’ll have a different authentication scheme there anyway). Also, GET requests are not protected as these should be indempotent anyway.

Public Methods
included

Protected Methods
authenticity_token_from_cookie_session	No secret was given, so assume this is a cookie session store.
authenticity_token_from_session_id	Generates a unique digest using the session_id and the CSRF secret.
form_authenticity_token	Sets the token value for the current session. Pass a :secret option in #protect_from_forgery to add a custom salt to the hash.
protect_against_forgery?
verifiable_request_format?
verified_request?	Returns true or false if a request is verified. Checks:
verify_authenticity_token	The actual before_filter that is used. Modify this to change how you handle unverified requests.

RequestForgeryProtection

Ruby on Rails documentation... on Rails.