ActionController: InvalidAuthenticityToken Solution

Source: Internet
Author: User

Follow the examples in Agile Web Development in the third edition.

The procedure is as follows:

Rails2.0 enabled in environment. rb

Config. action_controller.session_store =: active_record_store

 

# Use the database for sessions instead of the cookie-based default, # which shouldn't be used to store highly confidential information # (create the session table with "rake db: sessions: create ")

The main purpose is to use a database to save session information. Enable this function.

You must modify the following operations at the same time.

In your environement. rb you have:

Config. action_controller.session = {
: Session_key => '_ myapp_session ',
: Secret => 'secretpass'
}

 

Of course, the book also provides such guidance, but I still encountered this problem.

The reason is as follows:

This involves rails2.0 and later. In order to improve security and prevent forgery of links to the current web program, a random character is embedded in the session so that attackers cannot know, this ensures that no attacks are initiated from CSRF through other website controllers. For more information about CSRF (Cross-site Request Forgery), refer to the following website:

Http://en.wikipedia.org/wiki/Cross-site_request_forgery

Http://isc.sans.org/diary.html? Storyid = 1750.

Solution:

If you follow the steps above, you only need to Turn on request forgery protection. In the controller, enable the request forgery switch for public instance methods. Note that only Html/JavaScript requests that are not Get can ensure the data security of the website.

Protect_from_forgery: partition T =>: index

 

 

 

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.