扶手：用户登录销毁一个不相关的对象后出来：远程=＆GT;真正 [英] Rails : User logged out after destroying an unrelated object with :remote => true

问题描述

我下面 http://railscasts.com/episodes/250-authentication-从划痕以简单的身份验证。它按预期工作。我在我的应用程序模型具有以下部分：

I'm following http://railscasts.com/episodes/250-authentication-from-scratch for simple authentication. It works as expected. I have a model in my app with the following partial :

<%= content_tag_for(:li, post) do %>
  <%= link_to 'Delete', post, :confirm => 'Are you sure?', :method => :delete, :remote => true %>
<% end %>

这就是所谓的在 index.html.erb 如下：

<%= render :partial => @posts.reverse %>

在 destroy.js.erb 如下所示，这就是所谓如果该对象被成功摧毁。

The destroy.js.erb is as follows, which is called if the object is successfully destroyed.

$('#<%= dom_id(@post) %>').css('background', 'red');
$('#<%= dom_id(@post) %>').hide();

在点击删除按钮，后对象被删除正常，破坏.js.erb 正确渲染了。但不知何故，该用户将被注销。以下是code我的 posts_controller.rb ：

On clicking the delete button, the post object gets deleted properly and the destroy.js.erb is rendered correctly too. But somehow, the user is logged out. Following is the code for my posts_controller.rb :

  def destroy
    logger.error 'in destroy'
    @post = Job.find(params[:id])
    @post.destroy

    respond_to do |format|
      format.html { redirect_to(posts_url) }
      format.xml  { head :ok }
      format.js
    end
  end

任何线索，为什么这种行为？

Any clues why this behavior?

和，如果我删除：远程=＆GT;真正的从删除链接，那么用户保持登录。我登录了破坏方法会话从未被称为在这两种情况下，但如果'：远程=＆GT;真然后会议以某种方式搞砸了。在检查饼干，我发现该Cookie不被破坏，但它不被修改时，破坏在的帖子方法被调用。不知道为什么这种情况发生。

And, if I remove the :remote => true from the delete link, then the user remains logged in. I have log statements in the destroy method for session that are never called in either case, but if ':remote=>true then the session is somehow screwed up. On checking the cookies, I found that the cookie is not destroyed but it does get modified when the destroy method on posts is called. Not sure why this has to happen.

推荐答案

听起来像是你被撞到，是为了防范的跨站请求伪造。添加：远程=＆GT;真正的将导致请求被通过AJAX不CSRF安全令牌提交的，所以护栏，则会覆盖掉，因为它认为这是CSRF攻击会话。为了解决这个问题，你有几种选择：

Sounds like you are bumping into a rails security feature that is meant to protect against Cross Site Request Forgery. Adding :remote => true causes the request to be submitted via ajax without CSRF security tokens, so rails clobbers the session because it thinks it is a CSRF attack. To get around this you have a few options:

1. 一个快速和肮脏的（和不安全的）解决方案是关闭安全检查的要求。要做到这一点将此行添加到您的控制器的顶部：

1. A quick and dirty (and insecure) solution is to turn off the security check for that request. To do this add this line to the top of your controller:

skip_before_filter：verify_authenticity_token，：只=＆GT; [：摧毁]

一个更安全的解决方案是提交 CSRF 用AJAX调用令牌。我认为，如果你改变你的远程连接到 button_to 这将自动发生。了解更多这里。

A more secure solution is to submit the CSRF token with the AJAX call. I think this will happen automatically if you change your remote link to a button_to. Read more here.

＆LT;％= button_to删除，后，：确认=＆GT; 你确定吗？，：方法=＆GT; ：删除：远程=＆GT;真％＆GT;

您可以cookie来存放CURRENT_USER而不是会话。这样做的安全问题将取决于您的应用程序的细节。

You could also cookies to store the current_user rather than the session. The security implications of this will depend on the details of your app.

这篇关于扶手：用户登录销毁一个不相关的对象后出来：远程=＆GT;真正的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！