Rails 4 Authenticity Token

by

I think I just figured it out. I changed the (new) default

protect_from_forgery with: :exception

to

protect_from_forgery with: :null_session

as per the comment in ApplicationController.

# Prevent CSRF attacks by raising an exception.
# For APIs, you may want to use :null_session instead.

You can see the difference by looking at the source for request_forgery_protecton.rb, or, more specifically, the following lines:

In Rails 3.2:

# This is the method that defines the application behavior when a request is found to be unverified.
# By default, \Rails resets the session when it finds an unverified request.
def handle_unverified_request
  reset_session
end

In Rails 4:

def handle_unverified_request
  forgery_protection_strategy.new(self).handle_unverified_request
end

Which will call the following:

def handle_unverified_request
  raise ActionController::InvalidAuthenticityToken
end

More Related Contents:

  1. Boolean Validation
  2. Understanding the Rails Authenticity Token
  3. How to get a random number in Ruby
  4. How to solve error “Missing `secret_key_base` for ‘production’ environment” (Rails 4.1)
  5. Rails 4: List of available datatypes
  6. Disable ActiveRecord for Rails 4
  7. rescue_from ActionController::RoutingError in Rails 4
  8. Rails 4: before_filter vs. before_action
  9. Saving enum from select in Rails 4.1
  10. Rails update_attributes without save?
  11. ERROR: Failed to build gem native extension on Mavericks
  12. Rails 4: assets not loading in production
  13. “bin/rails: No such file or directory” w/ Ruby 2 & Rails 4 on Heroku
  14. Rails I18n validation deprecation warning
  15. Rails 4.0 Strong Parameters nested attributes with a key that points to a hash
  16. strong parameters permit all attributes for nested attributes
  17. Is the server running on host “localhost” (::1) and accepting TCP/IP connections on port 5432?
  18. How to prevent browser page caching in Rails
  19. Submit POST data from controller to another website in Rails
  20. What does map(&:name) do in this Ruby code?
  21. LEFT OUTER joins in Rails 3
  22. HEROKU – cannot run git push heroku master [duplicate]
  23. rails4 unknown encoding name – CP720
  24. What is the difference between Ruby and Ruby on Rails?
  25. Find number of months between two Dates in Ruby on Rails
  26. nokogiri gem installation error
  27. How to edit or write on existing PDF with Ruby?
  28. Why is respond_with being removed from rails 4.2 into it’s own gem?
  29. Customizing Devise error messages in Rails 3?
  30. How do I use CSS with a ruby on rails application?

Leave a Comment