search for: handle_unverified_request

...he client side? - line 228 in the 2.3 patch tests that xml requests should be validated for authenticity token. This is going to break quite a few things. Should Rails by default (still) support authenticated stateless requests (for the sake of web services)? Or should we handle this by overriding handle_unverified_request (line 31 patch 2.3)? What am I missing? Thanks Siebert -- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Core" group. To post to this group, send email to rubyonrails-core@googlegroups.com. To unsubscribe from this group, send email to rubyon...

.... rails 2.3.11: all fine, new post saved rails 2.3.10: ActionController::InvalidAuthenticityToken I checked ApplicationController to see if it still contained "protect_from_forgery", which is the case. I read the announcement for the csrf changes in 2.3.11 and they talk about overriding handle_unverified_request for special cases where there are other ways for authenticating a user. In this simple case I demonstrated though, there is no concept of a user or logging in (or a session), so the default action of resetting the session is not very useful. In my opinion, CSRF protection is about verifying a reque...