My login_form is generated using form_for(). However, I am using
text_field_tag and password_field_tag to generate the form fields inside
of this form, so the form is not truly bound to an object like most
Rails forms.
I can see that my login form is posting the hidden authenticity_token.
And I can also see that the value of the "autheticity_token" parameter
is definitely not the same secret as "my_secret" specified in the call
to protect_from_forgery. So the error makes sense in that respect.
I was under the impression that the protect_from_forgery call would
embed the secret provided into the forms generated by Rails? Is that
the correct understanding?
Is there something else that I need to be doing in order to make the
protect_from_forgery feature work?
I've upgraded to 2.0.2, and I can't get my login screen (the first POST
request in the application) to work.
When I post this form, I see the "InvalidAuthenticityToken" error.
I have
protect_from_forgery :secret => 'my_secret'
set in application.rb
and I am using an active_record session store based on this line in
environment.rb:
Is there something else that I need to be doing in order to make the
protect_from_forgery feature work?
Thanks,
Wes
check controllers/application.rb
class ApplicationController < ActionController::Base
helper :all # include all helpers, all the time
# See ActionController::RequestForgeryProtection for details
# Uncomment the :secret if you're not using the cookie session store
protect_from_forgery # :secret => '3218a694a55a785a0cbedf86a388f8bf'
end
Note the remarks about not using the cookie session store.
You need to be sending the token with each form post. The form_tag
block method should add it for you. Also, your sessions need to be
working. You'll know it's good if neither your session id or form
auth token change on each refresh. You can check this looking at the
development log and the source of the form (the auth token should be
in a hidden field).
I'm using restful_authentication plugin and I found that if you delete
the cookies before submitting in the login form and then you log in,
you get the exception: "ActionController::InvalidAuthenticityToken in
SessionsController#create".
I'm using restful_authentication plugin and I found that if you delete
the cookies before submitting in the login form and then you log in,
you get the exception: "ActionController::InvalidAuthenticityToken in
SessionsController#create".
Any idea to fix this?
Thanks!
1. Don't clear your cookies when you are on the login screen.
OR
2. Don't use the default cookie session store. Rails by default uses
cookies to store the sessions so when you essentially clear your cookies
while you are the login screen it clears all the information about the
session and then thinks its a forgery attempt.