Rails on me :)
2010년 6월 20일 일요일
  AJAX in Rails with Authenticity Token

출처 : http://archive.alwaysmovefast.com/ajax-in-rails-with-authenticity-token.html

ajax 요청을 post 로 보낼 경우, InvalidAuthenticityToken 에러가 발생한다. 이를 해지해줄 방법은 다음과 같다. 

AJAX in Rails with Authenticity Token


When you use active_record_store instead of the cookie-based default, you need to uncomment the line in controllers/application.rb that says protect_from_forgery :secret => 'blah'. This makes sure all your HTML and JavaScript requests are coming from your web application. It essentially protects you from something called "Cross-site request forgery" by embedding a token into your web forms.

As a side note, it's really not giving you much security at all, but that might be better left for another blog post.

I was banging my head against the wall yesterday trying to figure out why a custom Ajax.Updater wasn't working and I kept getting an ActionController::InvalidAuthenticityToken exception. I decided to dig into the request_forgery_protection.rb file in actionpack-*/lib/action_controller and found that for custom requests, you need to include the authenticity_token yourself by taking advantage of the form_authenticity_token helper. When building the updater's request url I just added "&authenticity_token=" to the end and everything was fine.

Another way would be to not use the forgery protection at all for that action by including this in your controller: protect_from_forgery :except => [:updater]

You can also completely remove forgery protection from a controller by doing skip_before_filter :verify_authenticity_token

Back to the vulnerability of your web forms: I imagine this does protect your web application from someone hosting a form on their site that posts to your site. However, if someone really wants to spam some stuff they'll scrape your page with cookies enabled on their scraping software, scrape your form's fields (which include the authenticity_token hidden field) and POST to their heart's desire.

라벨: ,

 
댓글: 댓글 쓰기

에 가입 댓글 [Atom]





<< 홈
with ruby core and CGIs

내 사진
이름:
위치: Seoul, South Korea

모니터 앞에서 싸구려 커피를 마시며

아카이브
3월 2010 / 4월 2010 / 5월 2010 / 6월 2010 / 7월 2010 / 11월 2010 / 12월 2011 /


Powered by Blogger

에 가입
글 [Atom]