Authenticity token lying around...

I've attached an Ajax POST request to a link. The request is failing
(InvalidAuthenticityToken) because I'm not sending the authenticity
token with it.

Searching the forums led me to these two methods...

request_forgery_protection_token

... and...

form_authenticity_token

Which I can use to generate the necessary information on my HTML pages.
However, because I am not building a complete form for this request, I
thought I would place the information into an arbitrary input field, but
I'm not sure where.

For the sake of being practical and consistent, I thought the footer a
good place. Example...

<div id="footer">
  <p>Copyright...</p>
  <p style="display: none;">
    <input type="text" name="authenticity_token" value="..." />
  </p>
</div>

With that in place I can reference it via JavaScript as needed.

I don't think having the authenticity token on _every_ page is less
secure than having it on _some_ pages.

Does anyone feel differently?

How are you creating the ajax request. Helpers like link_to_remote
should already include the authenticity token. Similarly you can use
remote_function if you need to mix it into other js and that helper
gives you the authenticity token as well.

AndyV wrote:

How are you creating the ajax request.

With jQuery.

Helpers like link_to_remote
should already include the authenticity token. Similarly you can use
remote_function if you need to mix it into other js and that helper
gives you the authenticity token as well.

True, they do, but I don't want to mix JavaScript into my HTML -- even
if it's only visible once the page is rendered (i.e. view source).

I also prefer to keep my JavaScript in .js files.

Thanks for the suggestions though. I've gone ahead and done as I
described above: put the authenticity token into a hidden field in my
footer. It works as expected and I don't foresee any issues.

You could also set something like window.authenticityToken = '<%=
form_authenticity_token %>';

Having it in every page is not a problem. The token is based on your
session id and is unique for everyone. It doesn't replace
authentication in anyway.

Rick Olson wrote:

You could also set something like window.authenticityToken = '<%=
form_authenticity_token %>';

Having it in every page is not a problem. The token is based on your
session id and is unique for everyone. It doesn't replace
authentication in anyway.

Ah, I like that! Setting it in JavaScript makes even _more_ sense!

Good one, Rick. Thanks.