I have two controllers in my rails app. The method described in the link
above works with the actions in one controller, but does not work with
the other.
The controller which does not work has just one action which performs a
file upload. In this controller, if I don't put "skip_before_filter
:verify_authenticity_token" at the top, the file upload doesn't work. I
have pasted the upload action below:
render(:xml => "<response>Finished!</response>") if succeeded
end
Why is it that the authenticity_token variable is being detected in one
controller and not the other? I'd be very grateful if someone could help
me out with this.
Thanks for the tip. I changed my code to use the external interface call
from flex. But the problem persists. Even with my previous code, there
wasn't any problem in sending the authenticity token from flex to rails.
Rails is receiving the token, as shown in the log output.
As you can see, I'm using POST and the "authenticity_token" variable is
present. What worked for the first controller, is not working for the
second. I can't figure out why.
Hmm, ok. The only other time I've seen this behaviour is when the
cookie for the site isn't getting set, or is getting set with the
wrong domain. One quick test, could you compare the authenticity token
value as put in the HTML vs what gets passed in as a post parameter?
I don't understand what you want me to do exactly. Isn't the
authenticity token being sent from the HTML to Flex in the first place?
That same value is coming back from flex as a POST variable, right?
So how would they differ?
Do you want me to put a text field in the HTML and put the authenticity
token into it and check if the POST value matches it?
One avenue to explore is that the authenticity token is based on the session (either a value in it, or the session etc...) if the flex stuff doesn't use rails' session cookie then you would get an invalid authenticity token error.
What Fred said. Open up the HTML source in your browser and find the
authenticity token. Now open up the web server logs
(log/development.log most likely). Now do the post from Flex.
Compare the two values. They're probably different for you and that's
what's throwing the error. The difference is because the auth token is
built from the session id, and if your session stuff is messed up
somehow, Rails will find a discrepency and error out.
But is the session id the same for the request for the page where you
click upload and for the upload request itself ?(and obviously when
the session id changes so does the authenticity token, so that hard
coded value in getAuthenticityToken will only get you so far.)
It looks as if "Mister" had the same problem. Although he was using JSP,
i believe you get a good explanation of what is going on.
"Firefox apparently uses another instance of the browser window to
dispatch the uploaded file, this window does not have the session. I
searched for some possible answer and it seems you need to ask the
correction combination of questions to find the solution. The Flex
documentation seems to hint at part of the issue, but nothing direct
enough."
Thanks. I'll look closer into that. But I was testing on Safari (Mac)
and not Firefox.
But lately, I've been having more problems with the authentication /
session ID stuff. More of my actions started giving me the same error. I
ended up just switching off the verification authenticity globally. It
seems to be such a pain to configure when you are not using plain
erb/rhtml web apps.
And surprisingly few people seem to know about these issues.
Thanks again. I just had quick scan over that post you linked to. I'll
give it a closer look.
Thanks. I’ll look closer into that. But I was testing on Safari (Mac)
and not Firefox.
But lately, I’ve been having more problems with the authentication /
session ID stuff. More of my actions started giving me the same error. I
ended up just switching off the verification authenticity globally. It
seems to be such a pain to configure when you are not using plain
erb/rhtml web apps.
And surprisingly few people seem to know about these issues.
Issues that can be overcome very easily (see below). It is a very bad idea to disable the authenticity token, it was put in place to protect your site from malicious attacks.
Thanks again. I just had quick scan over that post you linked to. I’ll
give it a closer look.
The solution is pretty simple to be honest:
In your view layout file, add this to the section:
It will automatically add the authenticity token to ALL ajax requests, even those you invoke from custom code (graceful degrading and/or even delegated events for example).
As for file uploaders, a normal field within a form (multipart=true) will be sent as part of the form (and isn’t an ajax request in the first place) and shouldn’t be a problem. If you are using ANY other “ajax” uploader, there’s more to it. I already posted several times on how to get SWFUpload to play nicely with Rails, an overview with links to the appropriate posts can be found here:
Would your solution above work for Flex apps as well? I'm using no AJAX.
Just Flex and rails. Even the upload is done from within Flex.
As I've mentioned previously in the post, I am sending the authenticity
token along with all my requests to rails. But the problem is that the
authenticity token that is sent become invalid because of a changing
Session ID.
If you look at the post about getting SWFUpload up and running, you’ll notice there’s a patch for the session handling in there that allows you to pass the session data as normal post parameters instead of a cookie and make Rails detect and use it. Flex being a Flash-based frontend, you should be able to do the same. My guess is that ActionScript will have a similar way of automatically adding that data to each request. Maybe someone on this list has already integrated a Flexbased app this way (I know there are some Flex developers on this list), else you’ll have to ask on a Flex forum/mailing list.