I''ve attached an Ajax POST request to a link. The request is failing
(InvalidAuthenticityToken) because I''m not sending the authenticity
token with it.
Searching the forums led me to these two methods...
request_forgery_protection_token
... and...
form_authenticity_token
Which I can use to generate the necessary information on my HTML pages.
However, because I am not building a complete form for this request, I
thought I would place the information into an arbitrary input field, but
I''m not sure where.
For the sake of being practical and consistent, I thought the footer a
good place. Example...
<div id="footer">
<p>Copyright...</p>
<p style="display: none;">
<input type="text" name="authenticity_token"
value="..." />
</p>
</div>
With that in place I can reference it via JavaScript as needed.
I don''t think having the authenticity token on _every_ page is less
secure than having it on _some_ pages.
Does anyone feel differently?
--
Posted via http://www.ruby-forum.com/.
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Talk" group.
To post to this group, send email to
rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
To unsubscribe from this group, send email to
rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
For more options, visit this group at
http://groups.google.com/group/rubyonrails-talk?hl=en
-~----------~----~----~----~------~----~------~--~---
How are you creating the ajax request. Helpers like link_to_remote should already include the authenticity token. Similarly you can use remote_function if you need to mix it into other js and that helper gives you the authenticity token as well. On Apr 1, 6:51 pm, Daniel Waite <rails-mailing-l...-ARtvInVfO7ksV2N9l4h3zg@public.gmane.org> wrote:> I''ve attached an Ajax POST request to a link. The request is failing > (InvalidAuthenticityToken) because I''m not sending the authenticity > token with it. > > Searching the forums led me to these two methods... > > request_forgery_protection_token > > ... and... > > form_authenticity_token > > Which I can use to generate the necessary information on my HTML pages. > However, because I am not building a complete form for this request, I > thought I would place the information into an arbitrary input field, but > I''m not sure where. > > For the sake of being practical and consistent, I thought the footer a > good place. Example... > > <div id="footer"> > <p>Copyright...</p> > <p style="display: none;"> > <input type="text" name="authenticity_token" value="..." /> > </p> > </div> > > With that in place I can reference it via JavaScript as needed. > > I don''t think having the authenticity token on _every_ page is less > secure than having it on _some_ pages. > > Does anyone feel differently? > -- > Posted viahttp://www.ruby-forum.com/.--~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---
AndyV wrote:> How are you creating the ajax request.With jQuery.> Helpers like link_to_remote > should already include the authenticity token. Similarly you can use > remote_function if you need to mix it into other js and that helper > gives you the authenticity token as well.True, they do, but I don''t want to mix JavaScript into my HTML -- even if it''s only visible once the page is rendered (i.e. view source). I also prefer to keep my JavaScript in .js files. Thanks for the suggestions though. I''ve gone ahead and done as I described above: put the authenticity token into a hidden field in my footer. It works as expected and I don''t foresee any issues. -- Posted via http://www.ruby-forum.com/. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---
On Wed, Apr 2, 2008 at 2:38 PM, Daniel Waite <rails-mailing-list-ARtvInVfO7ksV2N9l4h3zg@public.gmane.org> wrote:> > AndyV wrote: > > How are you creating the ajax request. > > With jQuery. > > > > Helpers like link_to_remote > > should already include the authenticity token. Similarly you can use > > remote_function if you need to mix it into other js and that helper > > gives you the authenticity token as well. > > True, they do, but I don''t want to mix JavaScript into my HTML -- even > if it''s only visible once the page is rendered (i.e. view source). > > I also prefer to keep my JavaScript in .js files. > > Thanks for the suggestions though. I''ve gone ahead and done as I > described above: put the authenticity token into a hidden field in my > footer. It works as expected and I don''t foresee any issues.You could also set something like window.authenticityToken = ''<%form_authenticity_token %>''; Having it in every page is not a problem. The token is based on your session id and is unique for everyone. It doesn''t replace authentication in anyway. -- Rick Olson http://lighthouseapp.com http://weblog.techno-weenie.net http://mephistoblog.com --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---
Rick Olson wrote:> You could also set something like window.authenticityToken = ''<%> form_authenticity_token %>''; > > Having it in every page is not a problem. The token is based on your > session id and is unique for everyone. It doesn''t replace > authentication in anyway.Ah, I like that! Setting it in JavaScript makes even _more_ sense! Good one, Rick. Thanks. -- Posted via http://www.ruby-forum.com/. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---