I have a simple login controller in which I use new/create to do the
login. For create, I have
def create # do login
session[:user_id] = nil
u=params[:user]
user = User.authenticate(u[:name], u[:password])
if user
session[:user_id] = user.id
flash[:info]= ''Login Successful''
redirect_to(:action => "index",
:controller=>''main'' )
else
flash[:notice] = "Login Failure"
redirect_to new_login_path
end
When I get a login failure, the redirect correctly takes me to the
login screen (new), but when I submit the form I get
ActionController::InvalidAuthenticityToken
There is another thread
http://groups.google.com/group/rubyonrails-talk/browse_thread/thread/cba205f4e3153d5a
that suggested <%= token_tag %>.
I tried that it my form, but no joy. Can''t really find much in the
way of docs, couldn''t even find token_tag. I know there is mention
of a bug fix which is coming, does anyone know if that is going to
solve this one, or is there some way of working round it other than
disabling protect from forgery
Tony
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Talk" group.
To post to this group, send email to
rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
To unsubscribe from this group, send email to
rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
For more options, visit this group at
http://groups.google.com/group/rubyonrails-talk?hl=en
-~----------~----~----~----~------~----~------~--~---
OK, looking at this a bit more, I can see in the forms that I am getting a different authenticity token in the form generated by submitting the url - localhost:3000/login to the one in the form generated after the redirect. Now watching the server output, I can see that I am getting a different Session ID: The first part is the same, but the last part is very different Tony --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---
You have the secret cookie set, I''m guessing, which means that in forms, you need to get rails to generate the forms, otherwise they won''t have the hidden authenticity field in the form. What does your view file look like for users/new.rhtml.erb? Is it using Rails helpers for the form tag? Julian. Learn Ruby on Rails! CHECK OUT THE FREE VIDS (LIMITED TIME) NEW VIDEO (#2) OUT NOW! http://sensei.zenunit.com/ On 03/04/2008, at 5:07 PM, tonypm wrote:> > I have a simple login controller in which I use new/create to do the > login. For create, I have > > def create # do login > session[:user_id] = nil > u=params[:user] > user = User.authenticate(u[:name], u[:password]) > if user > session[:user_id] = user.id > flash[:info]= ''Login Successful'' > redirect_to(:action => "index", :controller=>''main'' ) > else > flash[:notice] = "Login Failure" > redirect_to new_login_path > end > > When I get a login failure, the redirect correctly takes me to the > login screen (new), but when I submit the form I get > ActionController::InvalidAuthenticityToken > > There is another thread > http://groups.google.com/group/rubyonrails-talk/browse_thread/thread/cba205f4e3153d5a > that suggested <%= token_tag %>. > > I tried that it my form, but no joy. Can''t really find much in the > way of docs, couldn''t even find token_tag. I know there is mention > of a bug fix which is coming, does anyone know if that is going to > solve this one, or is there some way of working round it other than > disabling protect from forgery > > Tony > >--~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---
By resetting the session, you''re indubitably resetting the authenticity token. Julian. Learn Ruby on Rails! CHECK OUT THE FREE VIDS (LIMITED TIME) NEW VIDEO (#2) OUT NOW! http://sensei.zenunit.com/ On 03/04/2008, at 5:29 PM, tonypm wrote:> > OK, looking at this a bit more, I can see in the forms that I am > getting a different authenticity token in the form generated by > submitting the url - localhost:3000/login to the one in the form > generated after the redirect. > > Now watching the server output, I can see that I am getting a > different Session ID: > The first part is the same, but the last part is very different > > Tony > >--~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---