Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Rails 4 Authenticity Token

Tags:

ruby

ruby-on-rails

authenticity-token

ruby-on-rails-4

I think I just figured it out. I changed the (new) default

protect_from_forgery with: :exception

to

protect_from_forgery with: :null_session

as per the comment in ApplicationController.

# Prevent CSRF attacks by raising an exception.
# For APIs, you may want to use :null_session instead.

You can see the difference by looking at the source for request_forgery_protecton.rb, or, more specifically, the following lines:

In Rails 3.2:

# This is the method that defines the application behavior when a request is found to be unverified.
# By default, \Rails resets the session when it finds an unverified request.
def handle_unverified_request
  reset_session
end

In Rails 4:

def handle_unverified_request
  forgery_protection_strategy.new(self).handle_unverified_request
end

Which will call the following:

def handle_unverified_request
  raise ActionController::InvalidAuthenticityToken
end

Instead of turn off the csrf protection, it's better to add the following line of code into the form

<%= tag(:input, :type => "hidden", :name => request_forgery_protection_token.to_s, :value => form_authenticity_token) %>

and if you're using form_for or form_tag to generate the form, then it will automatically add the above line of code in the form


Adding the following line into the form worked for me:

<%= hidden_field_tag :authenticity_token, form_authenticity_token %>

I don't think it's good to generally turn off CSRF protection as long as you don't exclusively implement an API.

When looking at the Rails 4 API documentation for ActionController I found that you can turn off forgery protection on a per controller or per method base.

For example to turn off CSRF protection for methods you can use

class FooController < ApplicationController
  protect_from_forgery except: :index

Came across the same problem. Fixed it by adding to my controller:

      skip_before_filter :verify_authenticity_token, if: :json_request?

Did you try? 

 protect_from_forgery with: :null_session, if: Proc.new {|c| c.request.format.json? }

Related questions

Rails ActiveRecord date between
Rails migrations: Undo default setting for a column
Error installing libv8: ERROR: Failed to build gem native extension
Ruby on Rails Callback, what is difference between :before_save and :before_create?
Rails select helper - Default selected value, how?
How to test if parameters exist in rails
ActiveRecord OR query
config.assets.compile=true in Rails production, why not?
What is the right way to override a setter method in Ruby on Rails?
execJs: 'Could not find a JavaScript runtime' but execjs AND therubyracer are in Gemfile
How to redirect to previous page in Ruby On Rails?
Change a Rails application to production
What do the &,<<, * mean in this database.yml file?
Rails: Installing PG gem on OS X - failure to build native extension
Repairing Postgresql after upgrading to OSX 10.7 Lion
Rails - Nested includes on Active Records?
Unable to install gem - Failed to build gem native extension - cannot load such file -- mkmf (LoadError)
Generate model in Rails using user_id:integer vs user:references
How to determine if one array contains all elements of another array
invalid multibyte char (US-ASCII) with Rails and Ruby 1.9

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!