I've attached an Ajax POST request to a link. The request is failing
(InvalidAuthenticityToken) because I'm not sending the authenticity
token with it.
Searching the forums led me to these two methods...
request_forgery_protection_token
... and...
form_authenticity_token
Which I can use to generate the necessary information on my HTML pages.
However, because I am not building a complete form for this request, I
thought I would place the information into an arbitrary input field, but
I'm not sure where.
For the sake of being practical and consistent, I thought the footer a
good place. Example...
How are you creating the ajax request. Helpers like link_to_remote
should already include the authenticity token. Similarly you can use
remote_function if you need to mix it into other js and that helper
gives you the authenticity token as well.
Helpers like link_to_remote
should already include the authenticity token. Similarly you can use
remote_function if you need to mix it into other js and that helper
gives you the authenticity token as well.
True, they do, but I don't want to mix JavaScript into my HTML -- even
if it's only visible once the page is rendered (i.e. view source).
I also prefer to keep my JavaScript in .js files.
Thanks for the suggestions though. I've gone ahead and done as I
described above: put the authenticity token into a hidden field in my
footer. It works as expected and I don't foresee any issues.
You could also set something like window.authenticityToken = '<%=
form_authenticity_token %>';
Having it in every page is not a problem. The token is based on your
session id and is unique for everyone. It doesn't replace
authentication in anyway.
You could also set something like window.authenticityToken = '<%=
form_authenticity_token %>';
Having it in every page is not a problem. The token is based on your
session id and is unique for everyone. It doesn't replace
authentication in anyway.
Ah, I like that! Setting it in JavaScript makes even _more_ sense!