Question on authenticity tokens

Does anyone find them useful? I can see them being good in some cases,
but I have many exceptions that occur because of expired sessions. I am
also not sure if they are really required for pages that require a login
to access.

The other place that they cause issues is in javascript requests. I am
not using the built-in helpers, and all the javascript exists in
separate js files. There is ways to get around this, but they are

Is there a way to turn them off?

Here is an example of the the code requires the token. If anyone knows
an easy way to solve the problem please let me know.

It's turned on by the protect_from_forgery line in your
application.rb. The rdoc for that method should you how to have it
enabled only for some stuff and how to generate the token


Hey Fred,
Thanks for the info.

As mentioned in the protect_from_forgery docs, setting a window._token
var in the application template file allows for one to easily pass the

$.post(url, {'_method': "delete", 'authenticity_token': window._token},

For one small live app I get the occasional exception email notifying me
that someones authentication token expired. I have never been able to
replicate this exception. Does anyone know if the user is getting
slapped with a 422, or are they just being redirected to the login page?


Frederick Cheung wrote: