similar to: Putting form_authenticity_token (csrf token) in a cookie instead of in meta tags?

Displaying 20 results from an estimated 120 matches similar to: "Putting form_authenticity_token (csrf token) in a cookie instead of in meta tags?"

2009 Sep 28
2
Error with flash and form_authenticity_token in new rails application with scaffolding
Hi All, I get this strange problem with newly scaffolded apps - I''d really appreciate any help in this regard. /usr/local/lib/ruby/gems/1.9.1/gems/activesupport-2.3.4/lib/ active_support/message_verifier.rb:46:in `block in secure_compare'' /usr/local/lib/ruby/gems/1.9.1/gems/activesupport-2.3.4/lib/ active_support/message_verifier.rb:45:in `each''
2010 Sep 21
0
Upload form with uploadify jquery plugin
I would like to integrate the uploadify plugin with a standard rails form. However I can''t figure out how to add a new field and have it get submitted with the file upload. I added a name field into the form, but the valued does not get submitted. <% dialog_file_description = ''Photos'' allowed_extensions = [:jpg, :jpeg, :gif, :png] max_size = 20.megabyte
2008 Apr 09
3
form_tag and form_for cause #protect_from_forgery errors
Hey All, I''m trying to do a simple form_for (and I also get it with form_tag) and I''m getting the following error: ActionView::TemplateError (No :secret given to the #protect_from_forgery call. Set that or use a session store capable of generating its own keys (Cookie Session Store).) on line #2 of users/new.fbml.erb: 1: <h1>Welcome To Courses, Let''s Get
2007 Oct 03
2
active_record_store sessions does not pass a :secret to #protect_from_forgery in Rails 2.0.0 Preview
After switching to active_record_store to host sessions, I now get the following errors: ActionController::InvalidAuthenticityToken in Pages#edit Showing app/views/pages/edit.html.erb where line #5 raised: No :secret given to the #protect_from_forgery call. Set that or use a session store capable of generating its own keys (Cookie Session Store). Extracted source (around line #5): 2: 3:
2009 Oct 28
6
undefined method `^' for "e":String
I''m attempting to learn Ruby on Rails, but these errors aren''t helping. I''m currently trying to follow the lessons available on www.learningrails.com. I received this error after trying to visit a page generated by using the scaffold command. Actually, this is all I did up until the error: rails sample2 -d mysql mysqladmin -u root -p create sample2_development ruby
2006 Apr 09
1
PageSweeper not working since upgrading to 1.1.1
Hi, I upgraded from 1.0 to 1.1.1, now my cache sweepers acts up. They worked perfectly before he upgrade, now I get strange errors. I have an empty controller, it looks like this: class PageElementsController < ApplicationController cache_sweeper :element_sweeper def element_container_show render :inline=>"" end end The sweeper looks like this: class
2008 Jul 29
0
Re: InvalidAuthenticityToken with Lightview
On 29 Jul 2008, at 01:00, Elliot Chyba wrote: > I''m integrating Lightview, > http://www.nickstakenburg.com/projects/lightview/, into an > application. > It''s more or less a content overlay similar to a light box, which then > calls the content either through an IFRAME or Ajax request. The IFRAME > works fine but for obvious reasons, I''d prefer to use
2010 Sep 09
1
406 Not Acceptable with swfupload
---------flash_session_cookie_middleware.rb require ''rack/utils'' class FlashSessionCookieMiddleware def initialize(app, session_key = ''_session_id'') @app = app @session_key = session_key end def call(env) if env[''HTTP_USER_AGENT''] =~ /^(Adobe|Shockwave) Flash/ req = Rack::Request.new(env) params =
2008 Jan 23
2
CSRF / cached authenticity tokens / ajax requests
I''m going to go out on a limb here and say the new CSRF protection in Rails is flawed. Why? Forget about caching if you care to use it. Consider the following: <% cache do %> <%= link_to_remote "Add To Favorites", :url => {:controller => "favorites", :action => "create", "movie_id" => 2} %> <% end %> # Output <a
2010 Sep 04
0
CSRF protection not working with jquery ajax post request
Hallo, I want to test the csrf protection of my application but forgery protection is not working with jquery ajax request. I have used Unobtrusive Javascript with jquery I have removed the <%= csrf_meta_tag %> so that my application do not include authenticity token. In my view I have the following code $(function () { $(''#alert'').click(function () { $.ajax({
2011 Aug 28
1
Page Caching, CSRF, and Loading a form via Ajax
Hi all, I would like to use page caching on my homepage, but also want to enable people to sign in via a modal dialog sign in form. I could have a setup in which when a user lands on the cached homepage, an Ajax GET request pulls in the whole login form so that there is a fresh authenticity token. That said, besides the additional hit to the server, the CSRF token in the head area of the page
2013 Jan 22
2
Rails 4: Should a HEAD request not be handled like a GET for CSRF protection?
I am running a Rails 4 app in semi-production and I constantly get exceptions from crawler bots that use a HEAD HTTP method, which causes the CSRF protection to kick in. Shouldn''t HEAD requests normally be handled like GET requests? I am not sure if I''m just being stupid or that hit is a bug somewhere. Michiel -- You received this message because you are subscribed to the
2010 Jul 08
2
rspec-rails how to selectively turn on csrf protection for controller specs?
I''m setting up a Paypal IPN listener and need the create action to not use rails'' default CSRF protection. I''ve got that working fine & test it actually works with cucumber (where I''ve turned CSRF back on, since it''s full-stack testing) but would like my controller spec to mention the need for protect_from_forgery :except => [:create] (and fail
2009 Aug 28
4
InvalidAuthenticityToken
Hi guys What does the below line says ActionController::InvalidAuthenticityToken (ActionController::InvalidAuthenticityToken): -e:2:in `load'' -e:2 Please guide me -- Karthik.k Mobile - +91-9894991640
2011 Feb 09
2
CSRF Protection Bypass in Ruby on Rails - I don't get it ...
Hi all, My team and I are finding ourselves a little in the dark about the "CSRF Protection Bypass in Ruby on Rails" vulnerability that was announced yesterday - http://weblog.rubyonrails.org/2011/2/8/csrf-protection-bypass-in-ruby-on-rails 1. Where is the complete Advisory? The Impact section is very unclear. Looking at the comment in the 2.3 patch mentions "Flash animations and
2010 Sep 21
7
Ajax CSRF in Rails3
I''m using rails3. It does not seem to check the authenticity_token when doing a POST using Ajax. I traced this to: module ActionDispatch class Request < Rack::Request ..... def forgery_whitelisted? get? || xhr? || content_mime_type.nil? || ! content_mime_type.verify_request? end end so you don''t check if its a get? or a xhr? (ie ajax request). Is this correct? --
2007 Oct 23
6
Auto complete plugin and CSRF protection-- do you care?
Hi, I just noticed that the auto_complete plugin does not work with the CSRF protection in Rails 2.0. I''ve patched the plugin, but I''m wondering if people would like to see the official plugin fixed. If so, speak up and I will write some tests and submit the patch. Krishna --~--~---------~--~----~------------~-------~--~----~ You received this message because you are
2013 Jan 09
4
CSRF resets my session in Firefox
Hello all, I''ve been trying to diagnose an issue with CSRF and Firefox specifically. I''ve got an ajax based form, using UJS (yes, I have csrf_meta_tag in my layout and I''ve tried adding the X-CSRF-Token header to the ajax beforeSend events without any luck)... The form just posts some data to an ajax method that creates, saves, and sets the session for a shopper as
2009 Oct 17
3
Security problems with CookieStore and CSRF protection
Dear Rails community, As part of a programming languages/security research group at the University of Maryland, we are building some static analysis tools for Rails applications. These tools work by taking formally specified properties of interest, and then analyzing code to verify that those properties indeed hold. Using these tools, we found some security vulnerabilities in Rails, and we would
2008 Jan 30
2
Invalid authenticity tokens when using subdomains
Does anyone have experience with using subdomains and rails? The example that I used to help me out was from the Advanced Rails Recipes book, but I can''t get it working as it should. I continually get authenticity token errors after logging in. I have had this error before, and for whatever reason after I added a<%= token_tag %> to the form it worked, but it doesn''t work