Last Update: 2018-06-11 12:46:59 -0700


  • Support has been added for using Roda’s route_csrf plugin with request-specific CSRF tokens. When loading the Rodauth into your Roda app, specify the :csrf=>:route_csrf plugin option so that Rodauth will load the route_csrf plugin instead of the csrf plugin.

  • The use_request_specific_csrf_tokens? configuration option has been added, it defaults to true when the the :csrf=>:route_csrf option is used when loading the plugin.

  • If you have custom templates for the reset password request, unlock account request, or verify account resend link request, you will have to update them to use the new request-specific CSRF token feature.

Backwards Compatibility

  • The csrf_tag configuration method now accepts the path as an optional argument, previously it accepted no arguments. The optional argument defaults to the path of the current request.