Hello, I''ve just upgraded by app to Rails 2.1 and my log started to be filled with ActionController::InvalidAuthenticityToken exceptions. I have an application with external XML Restful access. It seems each time a request comes from a search engine crawler (that doesn''t support sessions or cookies), Rails 2.1 raises an error even if the documentation says:> Only HTML/JavaScript requests are checked, so this will not protect your XML API (presumably you''ll have a different authentication scheme there anyway).Any suggestion? Here''s the latest part of the backtrace. "ActionController::InvalidAuthenticityToken" /usr/lib/ruby/gems/1.8/gems/actionpack-2.1.0/lib/action_controller/ request_forgery_protection.rb:86:in `verify_authenticity_token'' /usr/lib/ruby/gems/1.8/gems/activesupport-2.1.0/lib/active_support/ callbacks.rb:173:in `send'' /usr/lib/ruby/gems/1.8/gems/activesupport-2.1.0/lib/active_support/ callbacks.rb:173:in `evaluate_method'' /usr/lib/ruby/gems/1.8/gems/activesupport-2.1.0/lib/active_support/ callbacks.rb:161:in `call'' /usr/lib/ruby/gems/1.8/gems/actionpack-2.1.0/lib/action_controller/ filters.rb:430:in `call'' /usr/lib/ruby/gems/1.8/gems/actionpack-2.1.0/lib/action_controller/ filters.rb:592:in `run_before_filters'' /usr/lib/ruby/gems/1.8/gems/actionpack-2.1.0/lib/action_controller/ filters.rb:578:in `call_filters'' /usr/lib/ruby/gems/1.8/gems/actionpack-2.1.0/lib/action_controller/ filters.rb:573:in `perform_action_without_benchmark'' /usr/lib/ruby/gems/1.8/gems/actionpack-2.1.0/lib/action_controller/ benchmarking.rb:68:in `perform_action_without_rescue'' /usr/lib/ruby/1.8/benchmark.rb:293:in `measure'' /usr/lib/ruby/gems/1.8/gems/actionpack-2.1.0/lib/action_controller/ benchmarking.rb:68:in `perform_action_without_rescue'' /usr/lib/ruby/gems/1.8/gems/actionpack-2.1.0/lib/action_controller/ rescue.rb:201:in `perform_action_without_caching'' /usr/lib/ruby/gems/1.8/gems/actionpack-2.1.0/lib/action_controller/ caching/sql_cache.rb:13:in `perform_action'' /usr/lib/ruby/gems/1.8/gems/activerecord-2.1.0/lib/active_record/ connection_adapters/abstract/query_cache.rb:33:in `cache'' /usr/lib/ruby/gems/1.8/gems/activerecord-2.1.0/lib/active_record/ query_cache.rb:8:in `cache'' /usr/lib/ruby/gems/1.8/gems/actionpack-2.1.0/lib/action_controller/ caching/sql_cache.rb:12:in `perform_action'' /usr/lib/ruby/gems/1.8/gems/actionpack-2.1.0/lib/action_controller/ base.rb:529:in `send'' /usr/lib/ruby/gems/1.8/gems/actionpack-2.1.0/lib/action_controller/ base.rb:529:in `process_without_filters'' /usr/lib/ruby/gems/1.8/gems/actionpack-2.1.0/lib/action_controller/ filters.rb:569:in `process_without_session_management_support'' /usr/lib/ruby/gems/1.8/gems/actionpack-2.1.0/lib/action_controller/ session_management.rb:130:in `process'' /usr/lib/ruby/gems/1.8/gems/actionpack-2.1.0/lib/action_controller/ base.rb:389:in `process'' /usr/lib/ruby/gems/1.8/gems/actionpack-2.1.0/lib/action_controller/ dispatcher.rb:149:in `handle_request'' /usr/lib/ruby/gems/1.8/gems/actionpack-2.1.0/lib/action_controller/ dispatcher.rb:107:in `dispatch'' /usr/lib/ruby/gems/1.8/gems/actionpack-2.1.0/lib/action_controller/ dispatcher.rb:104:in `synchronize'' /usr/lib/ruby/gems/1.8/gems/actionpack-2.1.0/lib/action_controller/ dispatcher.rb:104:in `dispatch'' /usr/lib/ruby/gems/1.8/gems/actionpack-2.1.0/lib/action_controller/ dispatcher.rb:120:in `dispatch_cgi'' /usr/lib/ruby/gems/1.8/gems/actionpack-2.1.0/lib/action_controller/ dispatcher.rb:35:in `dispatch'' --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---
On 11 Jun 2008, at 15:03, Simone Carletti wrote:> > Hello, > > I''ve just upgraded by app to Rails 2.1 and my log started to be filled > with ActionController::InvalidAuthenticityToken exceptions. > > I have an application with external XML Restful access. > It seems each time a request comes from a search engine crawler (that > doesn''t support sessions or cookies), Rails 2.1 raises an error even > if the documentation says: > >> Only HTML/JavaScript requests are checked, so this will not protect >> your XML API (presumably you''ll have a different authentication >> scheme there anyway). > > Any suggestion? >I do know that it changed from looking at the accept header to the content type header (http://github.com/rails/rails/commit/0697d17d121fcf9f46b5dd2dd1034dffa19ebdf2 ) Fred>--~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---
You''re right! I''ve just discovered two additional interesting discussions about this topic. http://www.manning-sandbox.com/thread.jspa?threadID=24847&tstart=0 http://www.mail-archive.com/rubyonrails-deployment-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org/msg01985.html I think this change is going to break many existing API client using www-form-encoded Content-Type! Thanks, Simone On Jun 11, 4:09 pm, Frederick Cheung <frederick.che...-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> wrote:> On 11 Jun 2008, at 15:03, Simone Carletti wrote: > > > > > > > Hello, > > > I''ve just upgraded by app to Rails 2.1 and my log started to be filled > > with ActionController::InvalidAuthenticityToken exceptions. > > > I have an application with external XML Restful access. > > It seems each time a request comes from a search engine crawler (that > > doesn''t support sessions or cookies), Rails 2.1 raises an error even > > if the documentation says: > > >> Only HTML/JavaScript requests are checked, so this will not protect > >> your XML API (presumably you''ll have a different authentication > >> scheme there anyway). > > > Any suggestion? > > I do know that it changed from looking at the accept header to the > content type header (http://github.com/rails/rails/commit/0697d17d121fcf9f46b5dd2dd1034dff... > ) > > Fred > >--~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk-unsubscribe@googlegroups.com For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---