Displaying 20 results from an estimated 120 matches similar to: "Putting form_authenticity_token (csrf token) in a cookie instead of in meta tags?"
2009 Sep 28
2
Error with flash and form_authenticity_token in new rails application with scaffolding
Hi All,
I get this strange problem with newly scaffolded apps - I''d really
appreciate any help in this regard.
/usr/local/lib/ruby/gems/1.9.1/gems/activesupport-2.3.4/lib/
active_support/message_verifier.rb:46:in `block in secure_compare''
/usr/local/lib/ruby/gems/1.9.1/gems/activesupport-2.3.4/lib/
active_support/message_verifier.rb:45:in `each''
2010 Sep 21
0
Upload form with uploadify jquery plugin
I would like to integrate the uploadify plugin with a standard rails
form. However I can''t figure out how to add a new field and have it get
submitted with the file upload. I added a name field into the form, but
the valued does not get submitted.
<%
dialog_file_description = ''Photos''
allowed_extensions = [:jpg, :jpeg, :gif, :png]
max_size = 20.megabyte
2008 Apr 09
3
form_tag and form_for cause #protect_from_forgery errors
Hey All,
I''m trying to do a simple form_for (and I also get it with form_tag)
and I''m getting the following error:
ActionView::TemplateError (No :secret given to the
#protect_from_forgery call. Set that or use a session store capable
of generating its own keys (Cookie Session Store).) on line #2 of
users/new.fbml.erb:
1: <h1>Welcome To Courses, Let''s Get
active_record_store sessions does not pass a :secret to #protect_from_forgery in Rails 2.0.0 Preview
2007 Oct 03
2
active_record_store sessions does not pass a :secret to #protect_from_forgery in Rails 2.0.0 Preview
After switching to active_record_store to host sessions, I now get the
following errors:
ActionController::InvalidAuthenticityToken in Pages#edit
Showing app/views/pages/edit.html.erb where line #5 raised:
No :secret given to the #protect_from_forgery call. Set that or use a
session store capable of generating its own keys (Cookie Session
Store).
Extracted source (around line #5):
2:
3:
2009 Oct 28
6
undefined method `^' for "e":String
I''m attempting to learn Ruby on Rails, but these errors aren''t helping.
I''m currently trying to follow the lessons available on
www.learningrails.com. I received this error after trying to visit a
page generated by using the scaffold command. Actually, this is all I
did up until the error:
rails sample2 -d mysql
mysqladmin -u root -p create sample2_development
ruby
2006 Apr 09
1
PageSweeper not working since upgrading to 1.1.1
Hi, I upgraded from 1.0 to 1.1.1, now my cache sweepers acts up.
They worked perfectly before he upgrade, now I get strange errors.
I have an empty controller, it looks like this:
class PageElementsController < ApplicationController
cache_sweeper :element_sweeper
def element_container_show
render :inline=>""
end
end
The sweeper looks like this:
class
2008 Jul 29
0
Re: InvalidAuthenticityToken with Lightview
On 29 Jul 2008, at 01:00, Elliot Chyba wrote:
> I''m integrating Lightview,
> http://www.nickstakenburg.com/projects/lightview/, into an
> application.
> It''s more or less a content overlay similar to a light box, which then
> calls the content either through an IFRAME or Ajax request. The IFRAME
> works fine but for obvious reasons, I''d prefer to use
2010 Sep 09
1
406 Not Acceptable with swfupload
---------flash_session_cookie_middleware.rb
require ''rack/utils''
class FlashSessionCookieMiddleware
def initialize(app, session_key = ''_session_id'')
@app = app
@session_key = session_key
end
def call(env)
if env[''HTTP_USER_AGENT''] =~ /^(Adobe|Shockwave) Flash/
req = Rack::Request.new(env)
params =
2008 Jan 23
2
CSRF / cached authenticity tokens / ajax requests
I''m going to go out on a limb here and say the new CSRF protection in
Rails is flawed. Why? Forget about caching if you care to use it.
Consider the following:
<% cache do %>
<%= link_to_remote "Add To Favorites", :url => {:controller =>
"favorites", :action => "create", "movie_id" => 2} %>
<% end %>
# Output
<a
2010 Sep 04
0
CSRF protection not working with jquery ajax post request
Hallo,
I want to test the csrf protection of my application but forgery
protection is not working with jquery ajax request.
I have used Unobtrusive Javascript with jquery
I have removed the
<%= csrf_meta_tag %>
so that my application do not include authenticity token.
In my view I have the following code
$(function () {
$(''#alert'').click(function () {
$.ajax({
2011 Aug 28
1
Page Caching, CSRF, and Loading a form via Ajax
Hi all,
I would like to use page caching on my homepage, but also want to
enable people to sign in via a modal dialog sign in form. I could
have a setup in which when a user lands on the cached homepage, an
Ajax GET request pulls in the whole login form so that there is a
fresh authenticity token.
That said, besides the additional hit to the server, the CSRF token in
the head area of the page
2013 Jan 22
2
Rails 4: Should a HEAD request not be handled like a GET for CSRF protection?
I am running a Rails 4 app in semi-production and I constantly get
exceptions from crawler bots that use a HEAD HTTP method, which causes the
CSRF protection to kick in.
Shouldn''t HEAD requests normally be handled like GET requests?
I am not sure if I''m just being stupid or that hit is a bug somewhere.
Michiel
--
You received this message because you are subscribed to the
2010 Jul 08
2
rspec-rails how to selectively turn on csrf protection for controller specs?
I''m setting up a Paypal IPN listener and need the create action to not
use rails'' default CSRF protection.
I''ve got that working fine & test it actually works with cucumber
(where I''ve turned CSRF back on, since it''s full-stack testing) but
would like my controller spec to mention the need for
protect_from_forgery :except => [:create] (and fail
2009 Aug 28
4
InvalidAuthenticityToken
Hi guys
What does the below line says
ActionController::InvalidAuthenticityToken
(ActionController::InvalidAuthenticityToken):
-e:2:in `load''
-e:2
Please guide me
--
Karthik.k
Mobile - +91-9894991640
2011 Feb 09
2
CSRF Protection Bypass in Ruby on Rails - I don't get it ...
Hi all,
My team and I are finding ourselves a little in the dark about the
"CSRF Protection Bypass in Ruby on Rails" vulnerability that was
announced yesterday - http://weblog.rubyonrails.org/2011/2/8/csrf-protection-bypass-in-ruby-on-rails
1. Where is the complete Advisory? The Impact section is very unclear.
Looking at the comment in the 2.3 patch mentions "Flash animations and
2010 Sep 21
7
Ajax CSRF in Rails3
I''m using rails3. It does not seem to check the authenticity_token
when doing a POST using Ajax. I traced this to:
module ActionDispatch
class Request < Rack::Request
.....
def forgery_whitelisted?
get? || xhr? || content_mime_type.nil? || !
content_mime_type.verify_request?
end
end
so you don''t check if its a get? or a xhr? (ie ajax request). Is this
correct?
--
2007 Oct 23
6
Auto complete plugin and CSRF protection-- do you care?
Hi,
I just noticed that the auto_complete plugin does not work with the
CSRF protection in Rails 2.0. I''ve patched the plugin, but I''m
wondering if people would like to see the official plugin fixed. If
so, speak up and I will write some tests and submit the patch.
Krishna
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are
2013 Jan 09
4
CSRF resets my session in Firefox
Hello all,
I''ve been trying to diagnose an issue with CSRF and Firefox
specifically. I''ve got an ajax based form, using UJS (yes, I have
csrf_meta_tag in my layout and I''ve tried adding the X-CSRF-Token header
to the ajax beforeSend events without any luck)... The form just posts
some data to an ajax method that creates, saves, and sets the session
for a shopper as
2009 Oct 17
3
Security problems with CookieStore and CSRF protection
Dear Rails community,
As part of a programming languages/security research group at the
University of Maryland, we are building some static analysis tools for
Rails applications. These tools work by taking formally specified
properties of interest, and then analyzing code to verify that those
properties indeed hold. Using these tools, we found some security
vulnerabilities in Rails, and we would
2008 Jan 30
2
Invalid authenticity tokens when using subdomains
Does anyone have experience with using subdomains and rails? The
example that I used to help me out was from the Advanced Rails Recipes
book, but I can''t get it working as it should.
I continually get authenticity token errors after logging in. I have
had this error before, and for whatever reason after I added a<%=
token_tag %> to the form it worked, but it doesn''t work