protect-from-forgery

please help a newbie in Rails :) I have protect_from_forgery call (which is given by default) with no attributes in my ApplicationController class. Basically here's the code: class ApplicationController < ActionController::Base helper :all # include all helpers, all the time protect_from_forgery helper_method :current_user_session, :current_user filter_parameter_logging :password, :password_confirmation What I assume it should do is: it should prevent any POST requests without correct authenticity_token . But when I send post request with jQuery like the one below, it works fine (there's

I am using Rails 3.0.2 which has protect_from_forgery by default in application_controller.rb. I wanted to trigger an InvalidAuthenticityToken . To do this I have added this javascript to my page: $('input[name=authenticity_token]').val('aaa') Checking the DOM with Firebug I see the authenticity_token hidden field is correctly updated. If I submit the form and check the log from the server I see the relative parameter is correctly set to 'aaa'. I would expect to get a InvalidAuthenticityToken while the request is processed as it was correct! How is this possible? The documentation for the

I have web site built with Rails3 and now I want to implement json API for mobile client access. However, sending json post request from the client because of the protect_from_forgery filter. Because the client will not retrieve any data from the server, there is no way that the client can receive auth_token so I would like to turn off the protect_from_forgery option only for json requests (I thought rails3 does this in default but apparently it does not). I know similar topic is discussed at here but in that case, he receives auth_token before sending post request. So my question is turning

I have read multiple questions and answers here on StackOverflow about InvalidAuthenticityToken and protect_from_forgery but get none the wiser. I have a website that get hundreds of these errors every day. They seem to be mainly (only?) from mobile but I have only verified that through samples. I understand why there is an AuthenticityToken and the need for adding <%= csrf_meta_tags %> in the application.html (which I have) as well as having protect_from_forgery in the application controller. I have both the csrf_meta_tags and: protect_from_forgery with: :exception in my Application