手机中的InvalidAuthenticityToken错误 [英] InvalidAuthenticityToken errors in mobile
问题描述
我在StackOverflow上阅读了有关InvalidAuthenticityToken和protect_from_forgery的多个问题和答案,但没有一个更明智.
I have read multiple questions and answers here on StackOverflow about InvalidAuthenticityToken and protect_from_forgery but get none the wiser.
我有一个网站,每天都会收到数百个此类错误.它们似乎主要(仅?)来自移动设备,但我仅通过示例进行了验证.
I have a website that get hundreds of these errors every day. They seem to be mainly (only?) from mobile but I have only verified that through samples.
我了解为什么要有一个AuthenticityToken并需要添加
I understand why there is an AuthenticityToken and the need for adding
<%= csrf_meta_tags %>
在application.html(我拥有)中,以及在应用程序控制器中具有protect_from_forgery.我同时拥有csrf_meta_tags和:
in the application.html (which I have) as well as having protect_from_forgery in the application controller. I have both the csrf_meta_tags and:
protect_from_forgery with: :exception
在我的应用程序"控制器中,这是默认设置.
in my Application controller, as is default.
我意识到我可以通过删除protect_from_forgery来解决"该问题,但这会使我容易受到CSRF攻击,因此这不是真正的解决方案,对吗?我可以为正在发生的表单发布的protect_from_forgery添加一个"except",但这会使我同样容易受到攻击,对吗?
I realize I can "solve" the problem by removing protect_from_forgery but that would make me vulnerable for CSRF-attacks so that is not really a solution, is it? I could add an "except" for protect_from_forgery for the form posts that take place but that would leave me just as vulnerable, right?
我尝试在禁用cookie的情况下用手机访问该表格,并遇到422错误.但是无法使其引起异常.为我的结果"函数添加一个异常将其删除,但这使它容易受到攻击吗?
I tried accessing the form with my mobile with cookies disabled and experienced a 422 error. Couldn't get it to cause the exception though. Adding an exception for my "result" function removed that, but that makes it vulnerable I guess?
Edit2:我在同一页面上有几种表单(例如搜索表单).也许这可能会影响问题?
I have several forms on the same page (e.g. a search form). Perhaps this could affect the issue?
我现在无法使用它,因为它每天会导致数百名用户出错,并且我无法删除它,因为我担心它会使我的网站容易受到黑客攻击.
I am now in a position where I can't have it since it causes error for hundreds of users per day and I can't remove it because I am afraid that it will make my website vulnerable for hacks.
那我该怎么办?有一个像样的中间立场吗?
So, what can I do? Is there a decent middle ground?
有什么办法可以改变protect_from_forgery,并且仍然相当有信心我不会被黑客破坏我的数据库?
Is there any way I can alter the protect_from_forgery and still feel fairly confident that I will not have my database destroyed by hackers?
我没有为该网站使用任何API,所有错误均来自同一类型的表单.我知道此问题有一个JavaScript部分,但实际上我不是如何使用这些信息来解决问题.
I am not using any API for the site and all of the errors come from the same type of form. I understand there is a javascript part to this problem but not really how I can use that information to solve the problem.
提前谢谢!
我得到的异常示例:
An ActionController::InvalidAuthenticityToken occurred in calculations#result:
ActionController::InvalidAuthenticityToken
-------------------------------
Request:
-------------------------------
* URL : http://www.example.com/calculation/result
* HTTP Method: PUT
* IP address : 217.214.148.251
* Parameters : {"utf8"=>"✓", "_method"=>"put", "authenticity_token"=>"udnClerrF5UWvg84uaD82TzmPx/vWssv2wN9UPqyn10UwXqbOwa2FBtnZ5Nfo7HPh9xbA2OSrrUNineW50XiYg==", "commit"=>"Calculate", "controller"=>"calculations", "action"=>"result", "id"=>"123"}
* Timestamp : 2016-08-19 12:11:09 UTC
* Server : 2696e83c-1538-434d-ab6d-4e16577698d0
* Rails root : /app
* Process: 6
-------------------------------
Session:
-------------------------------
* session id: "42b36aacc78102605cb3365922a550b1"
* data: {"session_id"=>"42b36aacc78102605cb3365922a550b1",
"_csrf_token"=>"KU43tmmXbxxgoabHrbejg+NWWP1tUVoWABNDqO8FiFI="}
-------------------------------
Environment:
-------------------------------
* CONTENT_LENGTH : 322
* CONTENT_TYPE : application/x-www-form-urlencoded
* HTTP_ACCEPT : text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
* HTTP_ACCEPT_ENCODING : gzip, deflate
* HTTP_ACCEPT_LANGUAGE : sv-se
* HTTP_CONNECTION : close
* HTTP_CONNECT_TIME : 0
* HTTP_COOKIE : __unam=91429fa-156a1632125-9bccf3-3; _ga=GA1.2.357545074.1471586444; _gat=1
* HTTP_HOST : www.example.com
* HTTP_ORIGIN : http://www.example.com
* HTTP_REFERER : http://www.kalkyleramera.se/calculation
* HTTP_TOTAL_ROUTE_TIME : 0
* HTTP_USER_AGENT : Mozilla/5.0 (iPhone; CPU iPhone OS 9_3_3 like Mac OS X) AppleWebKit/601.1.46 (KHTML, like Gecko) Version/9.0 Mobile/13G34 Safari/601.1
* HTTP_VERSION : HTTP/1.1
* HTTP_VIA : 1.1 vegur
* HTTP_X_FORWARDED_FOR : 217.214.148.251
* HTTP_X_FORWARDED_PORT : 80
* HTTP_X_FORWARDED_PROTO : http
* HTTP_X_REQUEST_ID : 5e925192-d6ea-4cd3-b049-20010f11f2c2
* HTTP_X_REQUEST_START : 1471608669086
推荐答案
在此处.如果是您的问题,您应该在日志中看到Can't verify CSRF token authenticity Completed 422 Unprocessable Entity.讨论了两种解决方案
This issue is discussed here. If it is your issue, you should see Can't verify CSRF token authenticity Completed 422 Unprocessable Entity within your logs. Two solutions are discussed
- 更改缓存控制
config.action_dispatch.default_headers.merge!('Cache-Control' => 'no-store, no-cache') - 将无效会话更改为空会话
protect_from_forgery with: :null_session
- change cache control
config.action_dispatch.default_headers.merge!('Cache-Control' => 'no-store, no-cache') - change invalid session to a null session
protect_from_forgery with: :null_session
但这似乎仍然是一个未解决的问题.
But it seems to be still an open issue.
这篇关于手机中的InvalidAuthenticityToken错误的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
