为什么我的Rails应用程序认为我是CSRF? [英] Why does my Rails app think I'm CSRF?

问题描述

奇怪的定义:我的应用程序的会话模型似乎运行良好.Cookie(user.remember_token = SecureRandom.urlsafe_base64)已存储，登录仍然存在.生活是美好的.

Definition of strange: My app's session model seems to work fine. The cookie (user.remember_token = SecureRandom.urlsafe_base64) is stored, the signin persists. Life is good.

但是，当用户编辑其个人资料并单击提交"时，他们将被注销.

Yet, when a user edits their profile and clicks submit, they are logged out.

此SO问题让我认为Rails由于XSRF而结束了会话.

This SO Question makes me think that Rails is ending the session because of XSRF.

但是为什么?

通过一个链接可以得到所有信息，而不是在这里发布所有代码: https://github.com/chiperific/arcwmi_reports

Instead of posting all my code here, one link gets it all: https://github.com/chiperific/arcwmi_reports

帮助！

推荐答案

您的问题出在 User 模型中:

before_save :create_remember_token

def create_remember_token
  self.remember_token = SecureRandom.urlsafe_base64
end

这将在用户保存时(即在创建或更新用户时)修改"remember_token".当用户更新他/她的个人资料时，remember_token也将更改.这将导致登录系统注意到cookie不再与用户匹配-并注销用户.

This will modify the remember_token whenever the user is saved - that is, when the user is created or updated. And when a user updates his/her profile, the remember_token is changed. This causes the login system to notice that the cookie no longer matches the user - and logs the user out.

修复-使用 before_create 而不是 before_save .

这篇关于为什么我的Rails应用程序认为我是CSRF?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！