Menu
I have a rails app that serves some APIs to an iPhone application. I want to be able to simply post on a resource without minding on get the correct CSRF token. I tried some methods that I see here in stackoverflow but it seems they no longer work on rails 3.
Thank you for helping me.
921
To disable CSRF protection on all routes. So navigate to app\Http\Middleware and open VerifyCsrfToken. php file. Then update the routes, which you want to disable CSRF protection.
The real csrf token is stored in the session like so: session[:_csrf_token]. If it is does not exist already, it is generated using a Secure Random function, and stored base64 encoded. As it is binary data, the token is then base64 decoded before returning to the calling function.
Rails CSRF TokenThe server generates these tokens, links them to the user session, and stores them in the database. This token is then injected into any form presented to the client as a hidden field. When the client correctly submits the form for validation, it passes the token back to the server.
When a user makes a POST request, the CSRF token from the HTML gets sent with that request. Rails compares the token from the page with the token from the session cookie to ensure they match.
In the controller where you want to disable CSRF the check:
skip_before_action :verify_authenticity_token Or to disable it for everything except a few methods:
skip_before_action :verify_authenticity_token, :except => [:update, :create] Or to disable only specified methods:
skip_before_action :verify_authenticity_token, :only => [:custom_auth, :update] More info: RoR Request Forgery Protection
199
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
