search for: protect_from_forgery

I''ve almost entirely converted a rails 2.3.5 app to 3pre. I''m having some trouble with protect_from_forgery. I had protect_from_forgery set in application_controller.rb, but run some uploadify ajax stuff in one of my controllers, where I had protect_from_forgery, :except => :add_file set. In rails 3 I''m getting ActionController::InvalidAuthenticityToken on the ajax upload unless I turn off p...

...milo", :clave => "secreta", :tipo => "administrador"}} end But when I add this spec, I start getting this: 1) ActionController::InvalidAuthenticityToken in ''UsuarioController deberia crear una nueva persona en post create'' No :secret given to the #protect_from_forgery call. Set that or use a session store capable of generating its own keys (Cookie Session Store). ./spec/controllers/usuario_controller_spec.rb:30: script/spec:4: This is the only failure. Line 30 is the post "create". I am on Ruby 1.8.6, Rails 2.0.2, Rspec 1.1.3 (saw in vendor/plugins/...

Just would like to verify: Is protect_from_forgery (in Rails 2.1) == the csrf_killer plugin from Rick Olson? Thanks, Wes -- Posted via http://www.ruby-forum.com/. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this g...

Maybe I am grasping the full usage of this protect_from_forgery function, but it does not seem to work for me. Imagine the following: A simple website with a user that needs to log in to do certain stuff and a closed off admin section that only certain users can access that have the is_admin field set to true. So to be clear, my User model has a login, passwo...

...apps you want the session to be share with. Now, some of the apps are returning in the HTTP response a session id (_apps_session=big number) that is different, even though they have the same session_key and secret. One thing that I noted, though, is that these apps are also providing a :secret to protect_from_forgery, and the number is different from the number passed to the :secret on config.action_controller.session[:secret]. What I would like to know is, if I''m setting the secret in config.action_controller.session, do I need to pass it to protect_from_forgery? Or are they secrets of different natu...

I am having a problem using the exception_logger plugin when I have protect_from_forgery enabled. Here is the line from application.rb: protect_from_forgery :secret => ''xxxx'' But I am getting: No :secret given to the #protect_from_forgery call. Set that or use a session store capable of generating its own keys (Cookie Session Store). Now, if I remove the secret...

I try to use db-session with protect_from_forgery. But I always get a error msg: ActionController::InvalidAuthenticityToken. application_controller.rb protect_from_forgery #:secret => ''top_secret'' session_store.rb ActionController::Base.session_store = :active_record_store hope you can help me. Best regards -- Posted v...

After switching to active_record_store to host sessions, I now get the following errors: ActionController::InvalidAuthenticityToken in Pages#edit Showing app/views/pages/edit.html.erb where line #5 raised: No :secret given to the #protect_from_forgery call. Set that or use a session store capable of generating its own keys (Cookie Session Store). Extracted source (around line #5): 2: 3: <%= error_messages_for :page %> 4: 5: <% form_for(@page) do |f| %> 6: <p> 7: <b>Name</b><br /> 8: <%= f.text_...

Should this be working in development mode? For some reason it doesn''t. regards, John

...wbie to Rails, coming from a PHP shop, so please excuse my ignorance. I have to applications. A Codeigniter PHP app and a Rails 3.0 app. The rails app makes paypal api calls and the php app makes curl post calls to the rails app with information from a shopping cart. How can I make this work with protect_from_forgery? I basically want to pass my own auth token from the php app (or any 3rd party app for that matter) to my rails app so that it knows its ok to proceed. Thanks in advance for all help! -- Posted via http://www.ruby-forum.com/. -- You received this message because you are subscribed to the Google...

All, I''ve upgraded to 2.0.2, and I can''t get my login screen (the first POST request in the application) to work. When I post this form, I see the "InvalidAuthenticityToken" error. I have protect_from_forgery :secret => ''my_secret'' set in application.rb and I am using an active_record session store based on this line in environment.rb: config.action_controller.session_store = :active_record_store My login_form is generated using form_for(). However, I am using text_field_tag...

Hey All, I''m trying to do a simple form_for (and I also get it with form_tag) and I''m getting the following error: ActionView::TemplateError (No :secret given to the #protect_from_forgery call. Set that or use a session store capable of generating its own keys (Cookie Session Store).) on line #2 of users/new.fbml.erb: 1: <h1>Welcome To Courses, Let''s Get Started.</h1> 2: <% form_for :user, user_path, :method => :post do |form| %> 3: <fb:editor-...

...actually easier to do from a remote CSRF attackers point of view. The controller will then happily do all the work requested of it without the token being present at all. How many rails developers do we think put a POST-method validation filter around all their form processing code, and yet expect protect_from_forgery stills somehow protects the actions? Also, it appears that the authenticity token is not inserted into forms automatically when the form is specified as a GET. While GET requests *should* be idempotent, it is quite common for them not to be. Consider for instance on Yahoo! search which remembers (...

Can I get some +1s for this tiny patch? It fixes ActiveRecordHelper::form, which is broken by default in new applications created with Rails 2.0. http://dev.rubyonrails.org/ticket/10739 Jeremy --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Core" group. To post to this group, send email to

...and need the create action to not use rails'' default CSRF protection. I''ve got that working fine & test it actually works with cucumber (where I''ve turned CSRF back on, since it''s full-stack testing) but would like my controller spec to mention the need for protect_from_forgery :except => [:create] (and fail when it''s not set). I''ve not had any luck with telling the controller or ActionController::Base to use forgery protection in the spec and am a bit stuck. Has anyone done this before, or do any of these look possible: * reload the rails app for...

...gt;rake db:migrate now I visit /posts/new in my browser, use firebug to delete or change the authenticity token, and submit the form. rails 2.3.11: all fine, new post saved rails 2.3.10: ActionController::InvalidAuthenticityToken I checked ApplicationController to see if it still contained "protect_from_forgery", which is the case. I read the announcement for the csrf changes in 2.3.11 and they talk about overriding handle_unverified_request for special cases where there are other ways for authenticating a user. In this simple case I demonstrated though, there is no concept of a user or logging in (o...

Ok, this is harder than I thought. I''ve got a hunk of XML coming in from an entirely external source that I do not control (but another department in my company does, so it''s not like a giant security hole). I was hoping to just have them POST their data to me, and then I''d read the raw stream and parse it. I''m sure folks know what I ran into -- Invalid

Hi, Using JRuby 1.1 and Rails 2.0, I created a small project in NetBeans that allows me to generate a dynamic dialplan in XML. In case it matters, I''m using builder-2.1.2 and activerecord-2.0.2. Going in the browser to: http://localhost:3000/routing/dialplan?Caller-Destination-Number=0 Does exactly what I want: <document type="freeswitch/xml"> <section

Does anyone find them useful? I can see them being good in some cases, but I have many exceptions that occur because of expired sessions. I am also not sure if they are really required for pages that require a login to access. The other place that they cause issues is in javascript requests. I am not using the built-in helpers, and all the javascript exists in separate js files. There is ways

...right from the beginning with my login form.. I followed the recommandations : in my environment.rb config.action_controller.session = { :session_key => ''myappname'', :secret => ''6de86b5566d7598f57e757960760acd2'' } in my application.rb protect_from_forgery :secret => ''6de86b5566d7598f57e757960760acd2'' my sessions_controller.rb doesn''t have anything new inside... same code as used with rails 1.2 (is it right ?) class SessionsController < ApplicationController def new @login = "" end def create...