Saturday, April 30, 2011
I'm using csrf_meta_tag and the the headers appears correctly. The problem is when the athenticity_token has a plus sign and I use any of Jquery ajax function. So I tried to render the form_authenticity_token already escaped using that method above ( CGI.escape), but now the jquery ajax function works and this line isn't working anymore(when i click):
<%= link_to "Destroy", [@client, address], :confirm => 'Are you sure?', :method => :delete %>
After the click there ins't user session anymore:
Started POST "/clients/97" for 127.0.0.1 at Sat Apr 30 21:49:15 -0300 2011
Processing by ClientsController#destroy as HTML
Parameters: {"authenticity_token"=>"MCVYdvbAS4i7BiRaDZig9VHXbxltKo84BgDT%2BTL28%2BI%3D", "id"=>"97"}
When I use ajax is ok:
Started DELETE "/clients/118/files/9?authenticity_token=MCVYdvbAS4i7BiRaDZig9VHXbxltKo84BgDT%2BTL28%2BI%3D" for 127.0.0.1 at Sat Apr 30 21:48:52 -0300 2011
Processing by ClippingsController#destroy as JS
Parameters: {"authenticity_token"=>"MCVYdvbAS4i7BiRaDZig9VHXbxltKo84BgDT+TL28+I=", "id"=>"9,", "client_id"=>"118"}
In both cases the csrf header is exactly the same and i'm using the CGI.escape method.
Any help ?
Thanks,
Ernesto
On Sat, Apr 30, 2011 at 9:27 AM, Frederick Cheung <frederick.cheung@gmail.com> wrote:
How are you adding the authenticity token to the URL ? (Ps, rails has a csrf_meta_tag helper)I did some brute force only to test, like this:<meta name="csrf-param" content="authenticity_token"/><meta name="csrf-token" content="<%= CGI.escape form_authenticity_token %>"/>some characters are escaped, but now the link_to ... :method => delete is not working anymore (the user session is killed).If I user URI.escape the plus sign is not escaped.Fred--So, i'm still at point zero.Thanks,ErnestoOn Fri, Apr 29, 2011 at 6:10 AM, Frederick Cheung <frederick.cheung@gmail.com> wrote:
You'll need to do that at the point that you add the token to the link
On Apr 29, 3:06 am, Ernesto Rocha <ernestorro...@gmail.com> wrote:
> How i escape it before the rails server process it ?
>
Fred
> Thanks,> frederick.che...@gmail.com> wrote:
> Ernesto
>
> On Thu, Apr 28, 2011 at 4:58 AM, Frederick Cheung <
>
>
>
>
> > On 28 Apr 2011, at 03:22, Ernesto Rocha <ernestorro...@gmail.com> wrote:
>
> > Guys,
>
> > I'm using some AJAX on my application, but when protect_from_forgery is on
> > sometimes it works and sometimes the user session is killed. Today i found
> > out why.
>
> > It happens the following:
>
> > The authenticity_token is sent correctly as you can see below,
>
> > Started DELETE
> > "/clients/118/files/20?authenticity_token=hoMH9/heaFWXWWy+aE1xKQcpf4xrLoVWG qkq0pzzwuo="
> > for 127.0.0.1 at Wed Apr 27 23:06:50 -0300 2011
>
> > but, next line on server is,
>
> > Processing by ClippingsController#destroy as JS
> > Parameters: {"authenticity_token"=>"hoMH9/heaFWXWWy
> > aE1xKQcpf4xrLoVWGqkq0pzzwuo=", "id"=>"20,", "client_id"=>"118"}
>
> > as you can see, the plus sign ('+') turned into a white space. Once the
> > token doesn't match the user session is killed.
>
> > Is someone experiencing this ? Any help how to fix it ?
>
> > + in urls means space - if the token genuinely contains + then you need to
> > escape it before putting it in the URL.
>
> > Fred
>
> > Thanks,
> > Ernesto
>
> > --
> > You received this message because you are subscribed to the Google Groups
> > "Ruby on Rails: Talk" group.
> > To post to this group, send email to rubyonrails-talk@googlegroups.com.
> > To unsubscribe from this group, send email to
> > rubyonrails-talk+unsubscribe@googlegroups.com.
> > For more options, visit this group at
> >http://groups.google.com/group/rubyonrails-talk?hl=en.
>
> > --
> > You received this message because you are subscribed to the Google Groups
> > "Ruby on Rails: Talk" group.
> > To post to this group, send email to rubyonrails-talk@googlegroups.com.
> > To unsubscribe from this group, send email to
> > rubyonrails-talk+unsubscribe@googlegroups.com.
> > For more options, visit this group at
> >http://groups.google.com/group/rubyonrails-talk?hl=en.
--
You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group.
To post to this group, send email to rubyonrails-talk@googlegroups.com.
To unsubscribe from this group, send email to rubyonrails-talk+unsubscribe@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en.
You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group.
To post to this group, send email to rubyonrails-talk@googlegroups.com.
To unsubscribe from this group, send email to rubyonrails-talk+unsubscribe@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en.
--
You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group.
To post to this group, send email to rubyonrails-talk@googlegroups.com.
To unsubscribe from this group, send email to rubyonrails-talk+unsubscribe@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en.
You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group.
To post to this group, send email to rubyonrails-talk@googlegroups.com.
To unsubscribe from this group, send email to rubyonrails-talk+unsubscribe@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en.
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment