Only CRIME exploit could guess cookie.

In theory, if the page always serve the cookie, even when it doesn’t change (which seems to be the case with Rails apps) AND if the page is mostly static (the x-runtime header will always change, which might affect the compression algorithm), then you might succeed in stealing the full session cookie if you’re able to watch the traffic through some external software of man-in-the-middle attack (this is not possible with client-side JavaScript).

But then it has nothing to do with CSRF because CSRF is about using the same existing session with XHR. That’s why the token exist in the first place. The token doesn’t protect against session stealing in any way.

If you’re really concerned about such kind of attacks, then one way to get protection against them would be to always change the session every request by assigning some random value to it, which will make the encrypted cookie completely different from the previous one.

One clap, two clap, three clap, forty?

By clapping more or less, you can signal to us which stories really stand out.