SECURITY: correct our CSRF implementation to be much more aggressive

app/controllers/session_controller.rb

@@ -1,10 +1,11 @@
 class SessionController < ApplicationController
-  # we need to allow account login with bad CSRF tokens, if people are caching, the CSRF token on the
-  #  page is going to be empty, this means that server will see an invalid CSRF and blow the session
-  #  once that happens you can't log in with social
-  skip_before_filter :verify_authenticity_token, only: [:create]
+
   skip_before_filter :redirect_to_login_if_required
 
+  def csrf
+    render json: {csrf: form_authenticity_token }
+  end
+
   def create
     params.require(:login)
     params.require(:password)