Rails - Oct 2008 - authenticity_token sent, still InvalidAuthenticityToken

Hi!

To send the authenticity token from flex back to the server, I followed
this:
http://blog.dt.org/index.php/2008/06/rails-2-flex-3-and-form-authenticity-tokens/

I have two controllers in my rails app. The method described in the link
above works with the actions in one controller, but does not work with
the other.

The controller which does not work has just one action which performs a
file upload. In this controller, if I don''t put
"skip_before_filter
:verify_authenticity_token" at the top, the file upload doesn''t
work. I
have pasted the upload action below:

def upload_image
    directory = "public" + params[ :temp_Image_Location ].to_s
    pRandomFileName = params[ :random_File_Name ].to_s
    pFileData = params[ :Filedata ]

    vFilePath = File.join( directory, pRandomFileName )

    succeeded = File.open( vFilePath, "wb" ) { |vBuffer|
vBuffer.write(
pFileData.read ) }

    render(:xml => "<response>Finished!</response>") if
succeeded
  end

Why is it that the authenticity_token variable is being detected in one
controller and not the other? I''d be very grateful if someone could
help
me out with this.

Thanks.
Anjan
-- 
Posted via http://www.ruby-forum.com/.

--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Talk" group.
To post to this group, send email to
rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
To unsubscribe from this group, send email to
rubyonrails-talk+unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
For more options, visit this group at
http://groups.google.com/group/rubyonrails-talk?hl=en
-~----------~----~----~----~------~----~------~--~---

Authenticity token is checked for all POST requests (aka POST / PUT /
DELETE). If you''re doing just GET then the system doesn''t look
for a
token.

An easier way to grab the auth token than what''s specified in the blog
post is to use ExternalInterface and a javascript function:

html:

<script language="Javascript">
function getAuthKey() { return "<%= form_authenticity_token %>";
}
</script>

Flash:

var authToken:String = ExternalInterface.call("getAuthKey");

Which then needs to be added to the .data field of an URLRequest you process.

Hope that helps.

Jason

On Fri, Oct 10, 2008 at 8:29 AM, Anjan Tek
<rails-mailing-list-ARtvInVfO7ksV2N9l4h3zg@public.gmane.org>
wrote:
>
> Hi!
>
> To send the authenticity token from flex back to the server, I followed
> this:
>
http://blog.dt.org/index.php/2008/06/rails-2-flex-3-and-form-authenticity-tokens/
>
> I have two controllers in my rails app. The method described in the link
> above works with the actions in one controller, but does not work with
> the other.
>
> The controller which does not work has just one action which performs a
> file upload. In this controller, if I don''t put
"skip_before_filter
> :verify_authenticity_token" at the top, the file upload
doesn''t work. I
> have pasted the upload action below:
>
> def upload_image
>    directory = "public" + params[ :temp_Image_Location ].to_s
>    pRandomFileName = params[ :random_File_Name ].to_s
>    pFileData = params[ :Filedata ]
>
>    vFilePath = File.join( directory, pRandomFileName )
>
>    succeeded = File.open( vFilePath, "wb" ) { |vBuffer|
vBuffer.write(
> pFileData.read ) }
>
>    render(:xml =>
"<response>Finished!</response>") if succeeded
>  end
>
> Why is it that the authenticity_token variable is being detected in one
> controller and not the other? I''d be very grateful if someone
could help
> me out with this.
>
> Thanks.
> Anjan
> --
> Posted via http://www.ruby-forum.com/.
>
> >
>
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Talk" group.
To post to this group, send email to
rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
To unsubscribe from this group, send email to
rubyonrails-talk+unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
For more options, visit this group at
http://groups.google.com/group/rubyonrails-talk?hl=en
-~----------~----~----~----~------~----~------~--~---

Hi!

I am using POST, not GET.

Thanks for the tip. I changed my code to use the external interface call 
from flex. But the problem persists. Even with my previous code, there 
wasn''t any problem in sending the authenticity token from flex to
rails.
Rails is receiving the token, as shown in the log output.

Processing QuestionsController#insert (for 192.170.50.67 at 2008-10-10 
19:39:21) [POST]
  Session ID: 
BAh7BzoMY3NyZl9pZCIlNjJiYjY0OTQ1NGQ3MWI1OWE5OWM2MTMzNzFjNzdj
NjQiCmZsYXNoSUM6J0FjdGlvbkNvbnRyb2xsZXI6OkZsYXNoOjpGbGFzaEhh
c2h7AAY6CkB1c2VkewA=--8e7dec53efd7dd4aaadd3c78e0b1d224e1cd55e7
  Parameters:
{"xml_Question"=>"<error>Error</error>",
"authenticity_token"=>"26614e317154739eade694d4721873093f317384",
"temp_Image_Location"=>"http://192.170.50.67:3000/images/temp",
"action"=>"insert", "uuid"=>"",
"controller"=>"questions",
"images_To_Be_Moved"=>""}
Completed in 0.00364 (274 reqs/sec) | Rendering: 0.00011 (2%) | DB: 
0.00000 (0%) | 200 OK [http://192.170.50.67/questions/insert]

The above is the log output for the controller which works.


The following log output is for the image upload action.

Processing UploadController#upload_image (for 192.170.50.67 at 
2008-10-10 19:39:48) [POST]
  Session ID: 8ce910b4f637abc4a02844057c6ebc0b
  Parameters: {"Filename"=>"France.gif", 
"authenticity_token"=>"26614e317154739eade694d4721873093f317384",
"temp_Image_Location"=>"/images/temp",
"action"=>"upload_image",
"Upload"=>"Submit Query",
"controller"=>"upload",
"random_File_Name"=>"1223647783541_517.gif", 
"Filedata"=>#<ActionController::UploadedStringIO:0x25ee6cc>}


ActionController::InvalidAuthenticityToken 
(ActionController::InvalidAuthenticityToken):
   
/Library/Ruby/Gems/1.8/gems/actionpack-2.1.0/lib/action_controller/request_forgery_protection.rb:86:in
`verify_authenticity_token''


As you can see, I''m using POST and the "authenticity_token"
variable is
present. What worked for the first controller, is not working for the 
second. I can''t figure out why.

Any insights?

Thanks.
Anjan
-- 
Posted via http://www.ruby-forum.com/.

--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Talk" group.
To post to this group, send email to
rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
To unsubscribe from this group, send email to
rubyonrails-talk+unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
For more options, visit this group at
http://groups.google.com/group/rubyonrails-talk?hl=en
-~----------~----~----~----~------~----~------~--~---

Hmm, ok. The only other time I''ve seen this behaviour is when the
cookie for the site isn''t getting set, or is getting set with the
wrong domain. One quick test, could you compare the authenticity token
value as put in the HTML vs what gets passed in as a post parameter?

Jason

On Fri, Oct 10, 2008 at 10:05 AM, Anjan Tek
<rails-mailing-list-ARtvInVfO7ksV2N9l4h3zg@public.gmane.org>
wrote:
>
> Hi!
>
> I am using POST, not GET.
>
> Thanks for the tip. I changed my code to use the external interface call
> from flex. But the problem persists. Even with my previous code, there
> wasn''t any problem in sending the authenticity token from flex to
rails.
> Rails is receiving the token, as shown in the log output.
>
> Processing QuestionsController#insert (for 192.170.50.67 at 2008-10-10
> 19:39:21) [POST]
>  Session ID:
> BAh7BzoMY3NyZl9pZCIlNjJiYjY0OTQ1NGQ3MWI1OWE5OWM2MTMzNzFjNzdj
> NjQiCmZsYXNoSUM6J0FjdGlvbkNvbnRyb2xsZXI6OkZsYXNoOjpGbGFzaEhh
> c2h7AAY6CkB1c2VkewA=--8e7dec53efd7dd4aaadd3c78e0b1d224e1cd55e7
>  Parameters:
{"xml_Question"=>"<error>Error</error>",
>
"authenticity_token"=>"26614e317154739eade694d4721873093f317384",
>
"temp_Image_Location"=>"http://192.170.50.67:3000/images/temp",
> "action"=>"insert",
"uuid"=>"",
"controller"=>"questions",
> "images_To_Be_Moved"=>""}
> Completed in 0.00364 (274 reqs/sec) | Rendering: 0.00011 (2%) | DB:
> 0.00000 (0%) | 200 OK [http://192.170.50.67/questions/insert]
>
> The above is the log output for the controller which works.
>
>
> The following log output is for the image upload action.
>
> Processing UploadController#upload_image (for 192.170.50.67 at
> 2008-10-10 19:39:48) [POST]
>  Session ID: 8ce910b4f637abc4a02844057c6ebc0b
>  Parameters: {"Filename"=>"France.gif",
>
"authenticity_token"=>"26614e317154739eade694d4721873093f317384",
> "temp_Image_Location"=>"/images/temp",
"action"=>"upload_image",
> "Upload"=>"Submit Query",
"controller"=>"upload",
> "random_File_Name"=>"1223647783541_517.gif",
>
"Filedata"=>#<ActionController::UploadedStringIO:0x25ee6cc>}
>
>
> ActionController::InvalidAuthenticityToken
> (ActionController::InvalidAuthenticityToken):
>   
/Library/Ruby/Gems/1.8/gems/actionpack-2.1.0/lib/action_controller/request_forgery_protection.rb:86:in
> `verify_authenticity_token''
>
>
> As you can see, I''m using POST and the
"authenticity_token" variable is
> present. What worked for the first controller, is not working for the
> second. I can''t figure out why.
>
> Any insights?
>
> Thanks.
> Anjan
> --
> Posted via http://www.ruby-forum.com/.
>
> >
>
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Talk" group.
To post to this group, send email to
rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
To unsubscribe from this group, send email to
rubyonrails-talk+unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
For more options, visit this group at
http://groups.google.com/group/rubyonrails-talk?hl=en
-~----------~----~----~----~------~----~------~--~---

I don''t understand what you want me to do exactly. Isn''t the 
authenticity token being sent from the HTML to Flex in the first place? 
That same value is coming back from flex as a POST variable, right?

So how would they differ?

Do you want me to put a text field in the HTML and put the authenticity 
token into it and check if the POST value matches it?

I''m confused.
-- 
Posted via http://www.ruby-forum.com/.

--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Talk" group.
To post to this group, send email to
rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
To unsubscribe from this group, send email to
rubyonrails-talk+unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
For more options, visit this group at
http://groups.google.com/group/rubyonrails-talk?hl=en
-~----------~----~----~----~------~----~------~--~---

On 14 Oct 2008, at 16:13, Anjan Tek wrote:
>
> I don''t understand what you want me to do exactly. Isn''t
the
> authenticity token being sent from the HTML to Flex in the first  
> place?
> That same value is coming back from flex as a POST variable, right?
>
> So how would they differ?
>
> Do you want me to put a text field in the HTML and put the  
> authenticity
> token into it and check if the POST value matches it?
>
One avenue to explore is that the authenticity token is based on the  
session (either a value in it, or the session etc...) if the flex  
stuff doesn''t use rails'' session cookie then you would get an
invalid
authenticity token error.

Fred

--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Talk" group.
To post to this group, send email to
rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
To unsubscribe from this group, send email to
rubyonrails-talk+unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
For more options, visit this group at
http://groups.google.com/group/rubyonrails-talk?hl=en
-~----------~----~----~----~------~----~------~--~---

On Tue, Oct 14, 2008 at 11:25 AM, Frederick Cheung
<frederick.cheung-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
wrote:
>
>
> On 14 Oct 2008, at 16:13, Anjan Tek wrote:
>
>>
>> I don''t understand what you want me to do exactly.
Isn''t the
>> authenticity token being sent from the HTML to Flex in the first
>> place?
>> That same value is coming back from flex as a POST variable, right?
>>
>> So how would they differ?
>>
>> Do you want me to put a text field in the HTML and put the
>> authenticity
>> token into it and check if the POST value matches it?
>>
>
> One avenue to explore is that the authenticity token is based on the
> session (either a value in it, or the session etc...) if the flex
> stuff doesn''t use rails'' session cookie then you would
get an invalid
> authenticity token error.
>
> Fred
>
What Fred said. Open up the HTML source in your browser and find the
authenticity token. Now open up the web server logs
(log/development.log most likely). Now do the post from Flex.

Compare the two values. They''re probably different for you and
that''s
what''s throwing the error. The difference is because the auth token is
built from the session id, and if your session stuff is messed up
somehow, Rails will find a discrepency and error out.

Jason

--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Talk" group.
To post to this group, send email to
rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
To unsubscribe from this group, send email to
rubyonrails-talk+unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
For more options, visit this group at
http://groups.google.com/group/rubyonrails-talk?hl=en
-~----------~----~----~----~------~----~------~--~---

This is in my HTML source:

<script language="Javascript">
function getAuthenticityToken()
{
  return "86b74406048a7f629bd560eab8de771a74c620be";
}
</script>

___________________________________________

And this is what I get from the logs:

Processing UploadController#upload_image (for 192.170.50.67 at 
2008-10-15 12:58:50) [POST]
  Session ID: fbcd2a610aa9c048c82f1d5733f56837
  Parameters: {"Filename"=>"Sunflower.gif", 
"temp_Image_Location"=>"/images/temp", 
"authenticity_token"=>"86b74406048a7f629bd560eab8de771a74c620be",
"action"=>"upload_image",
"Upload"=>"Submit Query",
"controller"=>"upload",
"random_File_Name"=>"1224055727771_274.gif",
"Filedata"=>#<ActionController::UploadedStringIO:0x2701294>}


ActionController::InvalidAuthenticityToken 
(ActionController::InvalidAuthenticityToken):

____________________________

As you can see, both the values are the same. Still I''m getting the
same
error.

I repeat, the same code works for another controller. If what you are 
suggesting was really the case, is it possible for just one controller 
to be affected?

-- 
Posted via http://www.ruby-forum.com/.

--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Talk" group.
To post to this group, send email to
rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
To unsubscribe from this group, send email to
rubyonrails-talk+unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
For more options, visit this group at
http://groups.google.com/group/rubyonrails-talk?hl=en
-~----------~----~----~----~------~----~------~--~---

On Oct 15, 8:30 am, Anjan Tek
<rails-mailing-l...-ARtvInVfO7ksV2N9l4h3zg@public.gmane.org>
wrote:
> And this is what I get from the logs:
>
> Processing UploadController#upload_image (for 192.170.50.67 at
> 2008-10-15 12:58:50) [POST]
>   Session ID: fbcd2a610aa9c048c82f1d5733f56837
>   Parameters: {"Filename"=>"Sunflower.gif",
> "temp_Image_Location"=>"/images/temp",
>
"authenticity_token"=>"86b74406048a7f629bd560eab8de771a74c620be",
> "action"=>"upload_image",
"Upload"=>"Submit Query",
> "controller"=>"upload",
"random_File_Name"=>"1224055727771_274.gif",
>
"Filedata"=>#<ActionController::UploadedStringIO:0x2701294>}
>
> ActionController::InvalidAuthenticityToken
> (ActionController::InvalidAuthenticityToken):
>
> ____________________________
>
> As you can see, both the values are the same. Still I''m getting
the same
> error.
>
But is the session id the same for the request for the page where you
click upload and for the upload request itself ?(and obviously when
the session id changes so does the authenticity token, so that hard
coded value in getAuthenticityToken will only get you so far.)

Fred
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Talk" group.
To post to this group, send email to
rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
To unsubscribe from this group, send email to
rubyonrails-talk+unsubscribe@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/rubyonrails-talk?hl=en
-~----------~----~----~----~------~----~------~--~---

Hi!

I think both of you have hit the nail on the head.

Just to avoid confusion, I placed all 3 of my methods in question into 
the same controller (one working method, one method that does not work 
and one method which renders the page that has the flex app in it).

Here is the log output when I load the rails app in my browser: (I''ve 
set map.root to execute the "index" method.
__________________________________________

Processing QuestionsController#index (for 192.170.50.67 at 2008-10-15 
15:56:47) [GET]
  Session ID: 594b5d72d93b07f9d6a272f301a3e0f7
  Parameters: {"action"=>"index",
"controller"=>"questions"}
Rendering questions/index
Completed in 0.00188 (531 reqs/sec) | Rendering: 0.00042 (22%) | DB: 
0.00000 (0%) | 200 OK [http://192.170.50.67/]


Processing QuestionsController#index (for 192.170.50.67 at 2008-10-15 
15:56:47) [GET]
  Session ID: 
BAh7BzoMY3NyZl9pZCIlOTdiYWM0MDM0OGM0NmRmZDkzZWJiMDhhNzIwYjIy
ODQiCmZsYXNoSUM6J0FjdGlvbkNvbnRyb2xsZXI6OkZsYXNoOjpGbGFzaEhh
c2h7AAY6CkB1c2VkewA=--1a32065d2fd99849429fc9dec4dcb26ec4e3623a
  Parameters: {"action"=>"index",
"controller"=>"questions",
"debug"=>"true"}
Rendering questions/index
Completed in 0.00193 (517 reqs/sec) | Rendering: 0.00045 (23%) | DB: 
0.00000 (0%) | 200 OK [http://192.170.50.67/?debug=true]

________________________________________

I''ve got no idea why it executes the same method twice, but it looks 
like the second Session ID is what sticks.

Here is the log output when I call the "insert" method that works:

__________________________________________

Processing QuestionsController#insert (for 192.170.50.67 at 2008-10-15 
15:58:24) [POST]
  Session ID: 
BAh7BzoMY3NyZl9pZCIlOTdiYWM0MDM0OGM0NmRmZDkzZWJiMDhhNzIwYjIy
ODQiCmZsYXNoSUM6J0FjdGlvbkNvbnRyb2xsZXI6OkZsYXNoOjpGbGFzaEhh
c2h7AAY6CkB1c2VkewA=--1a32065d2fd99849429fc9dec4dcb26ec4e3623a
  Parameters: 
{"authenticity_token"=>"86b74406048a7f629bd560eab8de771a74c620be",
"temp_Image_Location"=>"/images/temp",
"images_To_Be_Published"=>"",
"action"=>"insert",
"uuid"=>"927EE8CA-C86B-DDEC-C444-000C98986267",
"separator"=>"&&",
"controller"=>"questions"}
Completed in 0.00565 (176 reqs/sec) | Rendering: 0.00018 (3%) | DB: 
0.00000 (0%) | 200 OK [http://192.170.50.67/questions/insert]

__________________________________________

Notice that the Session ID is the same as the "index" method call.


Here is the log output when I call the "upload_image" method that DOES
NOT WORK:

__________________________________________


Processing QuestionsController#upload_image (for 192.170.50.67 at 
2008-10-15 15:57:33) [POST]
  Session ID: 8e7a7ad93525bce8a253542d8812ea4a
  Parameters: {"Filename"=>"Spiked.gif", 
"temp_Image_Location"=>"/images/temp", 
"authenticity_token"=>"86b74406048a7f629bd560eab8de771a74c620be",
"action"=>"upload_image",
"Upload"=>"Submit Query",
"controller"=>"questions",
"random_File_Name"=>"1224066450419_711.gif",
"Filedata"=>#<ActionController::UploadedStringIO:0x26d8600>}


ActionController::InvalidAuthenticityToken 
(ActionController::InvalidAuthenticityToken):

__________________________________________

As both of you suspected, the Session ID is different just for this 
method call.
And hence the authenticity token that I send is invalid.

If I call the "insert" method again after the "upload_image"
method has
failed, the Session ID is correct again and it works.

But I don''t understand why the Session ID is suddenly different for one
particular method.

Any ideas?

Thanks for the help so far.
-- 
Posted via http://www.ruby-forum.com/.

--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Talk" group.
To post to this group, send email to
rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
To unsubscribe from this group, send email to
rubyonrails-talk+unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
For more options, visit this group at
http://groups.google.com/group/rubyonrails-talk?hl=en
-~----------~----~----~----~------~----~------~--~---

Any ideas, anyone?
-- 
Posted via http://www.ruby-forum.com/.

--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Talk" group.
To post to this group, send email to
rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
To unsubscribe from this group, send email to
rubyonrails-talk+unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
For more options, visit this group at
http://groups.google.com/group/rubyonrails-talk?hl=en
-~----------~----~----~----~------~----~------~--~---

Anjan Tek wrote:
> Any ideas, anyone?
It looks as if "Mister" had the same problem. Although he was using
JSP,
i believe you get a good explanation of what is going on.

"Firefox apparently uses another instance of the browser window to 
dispatch the uploaded file, this window does not have the session.  I 
searched for some possible answer and it seems you need to ask the 
correction combination of questions to find the solution.   The Flex 
documentation seems to hint at part of the issue, but nothing direct 
enough."

http://thanksmister.com/?p=59
-- 
Posted via http://www.ruby-forum.com/.

--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Talk" group.
To post to this group, send email to
rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
To unsubscribe from this group, send email to
rubyonrails-talk+unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
For more options, visit this group at
http://groups.google.com/group/rubyonrails-talk?hl=en
-~----------~----~----~----~------~----~------~--~---

Thanks. I''ll look closer into that. But I was testing on Safari (Mac) 
and not Firefox.

But lately, I''ve been having more problems with the authentication / 
session ID stuff. More of my actions started giving me the same error. I 
ended up just switching off the verification authenticity globally. It 
seems to be such a pain to configure when you are not using plain 
erb/rhtml web apps.

And surprisingly few people seem to know about these issues.

Thanks again. I just had quick scan over that post you linked to. I''ll 
give it a closer look.

-- 
Posted via http://www.ruby-forum.com/.

--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Talk" group.
To post to this group, send email to
rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
To unsubscribe from this group, send email to
rubyonrails-talk+unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
For more options, visit this group at
http://groups.google.com/group/rubyonrails-talk?hl=en
-~----------~----~----~----~------~----~------~--~---

On 19 Nov 2008, at 19:16, Anjan Tek wrote:
> Thanks. I''ll look closer into that. But I was testing on Safari
(Mac)
> and not Firefox.
>
> But lately, I''ve been having more problems with the authentication
/
> session ID stuff. More of my actions started giving me the same  
> error. I
> ended up just switching off the verification authenticity globally. It
> seems to be such a pain to configure when you are not using plain
> erb/rhtml web apps.
>
> And surprisingly few people seem to know about these issues.
Issues that can be overcome very easily (see below). It is a very bad  
idea to disable the authenticity token, it was put in place to protect  
your site from malicious attacks.
> Thanks again. I just had quick scan over that post you linked to.
I''ll
> give it a closer look.
The solution is pretty simple to be honest:

In your view layout file, add this to the <header> section:

     <script type="text/javascript" charset="utf-8">
         window._token = ''<%= form_authenticity_token
-%>'';
     </script>

In application.js, add the following:

Ajax.Base.prototype.initialize = Ajax.Base.prototype.initialize.wrap(
   function(p, options){
     p(options);
     this.options.parameters = this.options.parameters || {};
     this.options.parameters.authenticity_token = window._token ||
'''';
   }
);

It will automatically add the authenticity token to ALL ajax requests,  
even those you invoke from custom code (graceful degrading and/or even  
delegated events for example).

A similar solution for those swapping out Prototype with JQuery has  
been posted at http://henrik.nyh.se/2008/05/rails-authenticity-token-with-jquery

As for file uploaders, a normal field within a form (multipart=true)  
will be sent as part of the form (and isn''t an ajax request in the  
first place) and shouldn''t be a problem. If you are using ANY other  
"ajax" uploader, there''s more to it. I already posted several
times on
how to get SWFUpload to play nicely with Rails, an overview with links  
to the appropriate posts can be found here:

http://groups.google.com/group/rubyonrails-talk/browse_thread/thread/45f70281a5992fa7


Best regards

Peter De Berdt


--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Talk" group.
To post to this group, send email to
rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
To unsubscribe from this group, send email to
rubyonrails-talk+unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
For more options, visit this group at
http://groups.google.com/group/rubyonrails-talk?hl=en
-~----------~----~----~----~------~----~------~--~---

Hi!

Would your solution above work for Flex apps as well? I''m using no
AJAX.
Just Flex and rails. Even the upload is done from within Flex.

As I''ve mentioned previously in the post, I am sending the authenticity
token along with all my requests to rails. But the problem is that the 
authenticity token that is sent become invalid because of a changing 
Session ID.

Thanks.

Anjan
-- 
Posted via http://www.ruby-forum.com/.

--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Talk" group.
To post to this group, send email to
rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
To unsubscribe from this group, send email to
rubyonrails-talk+unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
For more options, visit this group at
http://groups.google.com/group/rubyonrails-talk?hl=en
-~----------~----~----~----~------~----~------~--~---

On 23 Nov 2008, at 10:34, Anjan Tek wrote:
> Would your solution above work for Flex apps as well? I''m using no
> AJAX.
> Just Flex and rails. Even the upload is done from within Flex.
>
> As I''ve mentioned previously in the post, I am sending the  
> authenticity
> token along with all my requests to rails. But the problem is that the
> authenticity token that is sent become invalid because of a changing
> Session ID.
If you look at the post about getting SWFUpload up and running, you''ll
notice there''s a patch for the session handling in there that allows  
you to pass the session data as normal post parameters instead of a  
cookie and make Rails detect and use it. Flex being a Flash-based  
frontend, you should be able to do the same. My guess is that  
ActionScript will have a similar way of automatically adding that data  
to each request. Maybe someone on this list has already integrated a  
Flexbased app this way (I know there are some Flex developers on this  
list), else you''ll have to ask on a Flex forum/mailing list.


Best regards

Peter De Berdt


--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Talk" group.
To post to this group, send email to
rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
To unsubscribe from this group, send email to
rubyonrails-talk+unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
For more options, visit this group at
http://groups.google.com/group/rubyonrails-talk?hl=en
-~----------~----~----~----~------~----~------~--~---

Hi
I had the same problem. After some digging and http sniffing I found 
this repo on github that solves the problem: 
http://github.com/lardawge/swfupload-rails-authentication/tree/master


The workaround is to use a rack file to filter the request from flex:

require ''rack/utils''

class FlashSessionCookieMiddleware
  def initialize(app, session_key = ''_session_id'')
    @app = app
    @session_key = session_key
  end

  def call(env)
    if env[''HTTP_USER_AGENT''] =~ /^(Adobe|Shockwave) Flash/
      params = ::Rack::Utils.parse_query(env[''QUERY_STRING''])
      env[''HTTP_COOKIE''] = [ @session_key,
params[@session_key]
].join(''='').freeze unless params[@session_key].nil?
    end
    @app.call(env)
  end
end
-- 
Posted via http://www.ruby-forum.com/.

--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Talk" group.
To post to this group, send email to
rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
To unsubscribe from this group, send email to
rubyonrails-talk+unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
For more options, visit this group at
http://groups.google.com/group/rubyonrails-talk?hl=en
-~----------~----~----~----~------~----~------~--~---

2009/4/10 Matteo Parmi
<rails-mailing-list-ARtvInVfO7ksV2N9l4h3zg@public.gmane.org>
>
>  def call(env)
>    if env[''HTTP_USER_AGENT''] =~ /^(Adobe|Shockwave)
Flash/
>      params =
::Rack::Utils.parse_query(env[''QUERY_STRING''])
>      env[''HTTP_COOKIE''] = [ @session_key,
params[@session_key]
> ].join(''='').freeze unless params[@session_key].nil?
>    end
>    @app.call(env)
>  end

I want to find a way that detection flash client. But I cannot.
There isn''t "Flash" string in HTTP_USER_AGENT in Safari.
Someone said check HTTP_X_FLASH_VERSION.
These params appear when I have flash player installed. Also I don''t
use
flash player visit rails.

So, I don''t know how to detection flash client now?

--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Talk" group.
To post to this group, send email to
rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
To unsubscribe from this group, send email to
rubyonrails-talk+unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
For more options, visit this group at
http://groups.google.com/group/rubyonrails-talk?hl=en
-~----------~----~----~----~------~----~------~--~---