'Ruby on Rails CSRF token creation

The code to create a CSRF token in Ruby on Rails is:

      def mask_token(raw_token) # :doc:
        one_time_pad = SecureRandom.random_bytes(AUTHENTICITY_TOKEN_LENGTH)
        encrypted_csrf_token = xor_byte_strings(one_time_pad, raw_token)
        masked_token = one_time_pad + encrypted_csrf_token
        encode_csrf_token(masked_token)
      end

What is the point of doing this if the one_time_pad is included in the masked token anyway? Why can't the raw token be used directly?

ruby-on-rails

Sources

This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.

Source: Stack Overflow

Solution	Source

'Ruby on Rails CSRF token creation

Sources

Related Questions