Buggy forgery protection in Rails 2.1?

Hello,

I've just upgraded by app to Rails 2.1 and my log started to be filled
with ActionController::InvalidAuthenticityToken exceptions.

I have an application with external XML Restful access.
It seems each time a request comes from a search engine crawler (that
doesn't support sessions or cookies), Rails 2.1 raises an error even
if the documentation says:

Only HTML/JavaScript requests are checked, so this will not protect your XML API (presumably you'll have a different authentication scheme there anyway).

Any suggestion?

Here's the latest part of the backtrace.

"ActionController::InvalidAuthenticityToken"
/usr/lib/ruby/gems/1.8/gems/actionpack-2.1.0/lib/action_controller/
request_forgery_protection.rb:86:in `verify_authenticity_token'
/usr/lib/ruby/gems/1.8/gems/activesupport-2.1.0/lib/active_support/
callbacks.rb:173:in `send'
/usr/lib/ruby/gems/1.8/gems/activesupport-2.1.0/lib/active_support/
callbacks.rb:173:in `evaluate_method'
/usr/lib/ruby/gems/1.8/gems/activesupport-2.1.0/lib/active_support/
callbacks.rb:161:in `call'
/usr/lib/ruby/gems/1.8/gems/actionpack-2.1.0/lib/action_controller/
filters.rb:430:in `call'
/usr/lib/ruby/gems/1.8/gems/actionpack-2.1.0/lib/action_controller/
filters.rb:592:in `run_before_filters'
/usr/lib/ruby/gems/1.8/gems/actionpack-2.1.0/lib/action_controller/
filters.rb:578:in `call_filters'
/usr/lib/ruby/gems/1.8/gems/actionpack-2.1.0/lib/action_controller/
filters.rb:573:in `perform_action_without_benchmark'
/usr/lib/ruby/gems/1.8/gems/actionpack-2.1.0/lib/action_controller/
benchmarking.rb:68:in `perform_action_without_rescue'
/usr/lib/ruby/1.8/benchmark.rb:293:in `measure'
/usr/lib/ruby/gems/1.8/gems/actionpack-2.1.0/lib/action_controller/
benchmarking.rb:68:in `perform_action_without_rescue'
/usr/lib/ruby/gems/1.8/gems/actionpack-2.1.0/lib/action_controller/
rescue.rb:201:in `perform_action_without_caching'
/usr/lib/ruby/gems/1.8/gems/actionpack-2.1.0/lib/action_controller/
caching/sql_cache.rb:13:in `perform_action'
/usr/lib/ruby/gems/1.8/gems/activerecord-2.1.0/lib/active_record/
connection_adapters/abstract/query_cache.rb:33:in `cache'
/usr/lib/ruby/gems/1.8/gems/activerecord-2.1.0/lib/active_record/
query_cache.rb:8:in `cache'
/usr/lib/ruby/gems/1.8/gems/actionpack-2.1.0/lib/action_controller/
caching/sql_cache.rb:12:in `perform_action'
/usr/lib/ruby/gems/1.8/gems/actionpack-2.1.0/lib/action_controller/
base.rb:529:in `send'
/usr/lib/ruby/gems/1.8/gems/actionpack-2.1.0/lib/action_controller/
base.rb:529:in `process_without_filters'
/usr/lib/ruby/gems/1.8/gems/actionpack-2.1.0/lib/action_controller/
filters.rb:569:in `process_without_session_management_support'
/usr/lib/ruby/gems/1.8/gems/actionpack-2.1.0/lib/action_controller/
session_management.rb:130:in `process'
/usr/lib/ruby/gems/1.8/gems/actionpack-2.1.0/lib/action_controller/
base.rb:389:in `process'
/usr/lib/ruby/gems/1.8/gems/actionpack-2.1.0/lib/action_controller/
dispatcher.rb:149:in `handle_request'
/usr/lib/ruby/gems/1.8/gems/actionpack-2.1.0/lib/action_controller/
dispatcher.rb:107:in `dispatch'
/usr/lib/ruby/gems/1.8/gems/actionpack-2.1.0/lib/action_controller/
dispatcher.rb:104:in `synchronize'
/usr/lib/ruby/gems/1.8/gems/actionpack-2.1.0/lib/action_controller/
dispatcher.rb:104:in `dispatch'
/usr/lib/ruby/gems/1.8/gems/actionpack-2.1.0/lib/action_controller/
dispatcher.rb:120:in `dispatch_cgi'
/usr/lib/ruby/gems/1.8/gems/actionpack-2.1.0/lib/action_controller/
dispatcher.rb:35:in `dispatch'

Hello,

I've just upgraded by app to Rails 2.1 and my log started to be filled
with ActionController::InvalidAuthenticityToken exceptions.

I have an application with external XML Restful access.
It seems each time a request comes from a search engine crawler (that
doesn't support sessions or cookies), Rails 2.1 raises an error even
if the documentation says:

Only HTML/JavaScript requests are checked, so this will not protect your XML API (presumably you'll have a different authentication scheme there anyway).

Any suggestion?

I do know that it changed from looking at the accept header to the content type header (http://github.com/rails/rails/commit/0697d17d121fcf9f46b5dd2dd1034dffa19ebdf2)

Fred

You're right!

I've just discovered two additional interesting discussions about this
topic.

http://www.manning-sandbox.com/thread.jspa?threadID=24847&tstart=0
http://www.mail-archive.com/rubyonrails-deployment@googlegroups.com/msg01985.html

I think this change is going to break many existing API client using
www-form-encoded Content-Type!

Thanks,
Simone