is there anything i need to add to my ajax request for anti-forgery to work? I'm getting invalid token errors every time 😞

sd: Either an __anti-forgery-token parameter, or a x-csrf-token header or a x-xsrf-token header.

The README explains it.

is it not possible to use the value in the session cookie?

The token is compared to the token in the session.

The problem with POSTs is that they don’t adhere to the same-origin policy

Because they predate it.

So someone can create a form on their own website

Use Javascript to automatically POST it

And the form will be POSTed to your website with your website's session

The way to stop it is to also pass along a secret token that is compared to the session.

So the user needs to be logged in, and POSTing from a page under your control.

ring-anti-forgery stores this token in *anti-forgery-token*

I saw that token, and it matched the :ring.middleware.anti-forgery/anti-forgery-token in :session

since the ajax requests are being submitted with the cookie, i figured the token could be extracted that way

No, because the cookie isn’t safe.

but thanks for explaining, i'll try adding it as a parameter

The anti-forgery-token needs to be in the session and passed through a parameter.

ok

and it's alright to just send the token to the client at some point, to include in your ajax requests?

Yeah. The point of the token is to make sure that the request comes from a page under your control.

cool

https://en.wikipedia.org/wiki/Cross-site_request_forgery