Rails 3protect_from_forgery无法正常工作? [英] Rails 3 protect_from_forgery not working correctly?

问题描述

我正在使用Rails 3.0.2，它在application_controller.rb中默认为protect_from_forgery.

I am using Rails 3.0.2 which has protect_from_forgery by default in application_controller.rb.

我想触发一个InvalidAuthenticityToken.
为此，我已将此JavaScript添加到我的页面:

I wanted to trigger an InvalidAuthenticityToken.
To do this I have added this javascript to my page:

$('input[name=authenticity_token]').val('aaa')

使用Firebug检查DOM，我发现authenticity_token隐藏字段已正确更新.

Checking the DOM with Firebug I see the authenticity_token hidden field is correctly updated.

如果我提交表单并检查服务器上的日志，我会看到相对参数正确设置为'aaa'.我希望在处理请求时得到一个InvalidAuthenticityToken，因为它是正确的！

If I submit the form and check the log from the server I see the relative parameter is correctly set to 'aaa'. I would expect to get a InvalidAuthenticityToken while the request is processed as it was correct!

这怎么可能?

推荐答案

真实性令牌/csrf行为的文档已过时.在这些情况下，不再引发InvalidAuthenticityToken异常，而是仅重置您的会话.如果您想以其他方式(或旧方法)处理此问题，则可以在控制器上的handle_unverified_request中定义自己的行为.

The documentation for the authenticity token/csrf behavior is out of date. The InvalidAuthenticityToken exception is no longer thrown in these cases, instead your session is just reset. If you would like to handle this differently (or the old way) you can define your own behavior in handle_unverified_request on your controller.

这篇关于Rails 3protect_from_forgery无法正常工作?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！