Rails 3 protect_from_forgery not working correctly?

青春壹個敷衍的年華 提交于 2019-12-09 13:29:59

问题


I am using Rails 3.0.2 which has protect_from_forgery by default in application_controller.rb.

I wanted to trigger an InvalidAuthenticityToken.
To do this I have added this javascript to my page:

$('input[name=authenticity_token]').val('aaa')

Checking the DOM with Firebug I see the authenticity_token hidden field is correctly updated.

If I submit the form and check the log from the server I see the relative parameter is correctly set to 'aaa'. I would expect to get a InvalidAuthenticityToken while the request is processed as it was correct!

How is this possible?


回答1:


The documentation for the authenticity token/csrf behavior is out of date. The InvalidAuthenticityToken exception is no longer thrown in these cases, instead your session is just reset. If you would like to handle this differently (or the old way) you can define your own behavior in handle_unverified_request on your controller.




回答2:


I also believe you would have to reset the Authenticity token that resides in the meta tag of the html page that your form is in (I am assuming that you have the <%= csrf_meta_tag %> in there). Rails checks if either of the token in the form (that you changed in your javascript above) or the token in the meta tag of the html page match with Rails' expected authenticity token, and if ANY of them match, then your InvalidAuthenticityToken won't be triggered....



来源:https://stackoverflow.com/questions/6090063/rails-3-protect-from-forgery-not-working-correctly

易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!