使用真实性令牌吗?还是禁用它? [英] Work with authenticity token? Or disable it?

问题描述

我的迷你网络设备会将数据示例提交到RoR应用程序，然后将其添加到MySQL表中.

My mini-web-appliance will submit data samples to a RoR app, which will add them to a MySQL table.

我想出了如何形成POST数据包的方法，但是我没有得到的是如何避免真实性令牌问题.

I figured out how to form the POST data packet, but what I don't get is how to avoid the authenticity-token problem.

我的小笨客户有办法获取正确的令牌并将其发送回去吗? (我猜不是，否则不会有太大的安全性.)

Is there a way for my little dumb client to grab the right token and send it back? (I'm guessing not, or it wouldn't be much of a security feature).

这不是一个高度安全敏感的应用程序，所以我应该告诉该页面完全忽略真实性令牌吗?

This is not a highly security-sensitive application, so should I just tell this page to ignore the authentity-token altogether?

希望每个客户端(Web设备)都使用唯一的用户ID和密码登录，这样可以对它进行身份验证，因此它将受到会话ID的保护.

It will hopefully be authenticated by the fact that each client (web appliance) logs in with a unique user ID and password, so it would be protected by the session ID.

Keb'm

推荐答案

如果每个客户端都通过了身份验证，则可以禁用真实性令牌，也就是说您只应针对该操作禁用它.

If each client is authenticated then it's ok to disable the authenticity token, that said you should only disable it for that one action.

skip_before_filter :verify_authenticity_token, :only => :create

这篇关于使用真实性令牌吗?还是禁用它?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！