I have a Rails 3 website, for which the home page is static content plus a login form. I want to use HTTP caching on this page (we’re on Heroku - behind Varnish), but then the login form's authenticity token is cached which triggers forgery protection and prevents login for all but the first session.
I think my best course of action is to disable forgery protection for this action but first I want to understand the risks involved.
So… what are the risks of disabling forgery protection in this scenario?
Alternatively, is there a better way to solve this problem?
Bad things could happen, theres a reason CSRF is on by default. http://en.wikipedia.org/wiki/Cross-site_request_forgery#Forging_login_requests