0

I had the <%= csrf_meta_tags %> in my HEAD tag, but I created the form manually, so the authenticity_token hidden field was not getting inserted in my form.

So I added the authenticity_token manually:

<input name="authenticity_token" value="<%= form_authenticity_token %>" type="hidden">

When I send my website's default contact form (user is not logged in) the action that handles it should verify the token and allow/deny the request. But it is not: I use jQuery to empty the field and submit the form but not error or exception are thrown.

I got this line protect_from_forgery with: :exception in application_controller.rb and put the same in the foo_controller.rb that extends application_controller and has the action that responds to the contact form.

So what am I missing? What do I have to do to have this form verified in the backend?

Thanks a lot!

Victor Ferreira
  • 6,151
  • 13
  • 64
  • 120
  • You dont need `protect_from_forgery with: :exception` in `foo_controller.rb` as long as application controller has it. Your setup is generally right but its hard to tell more without your seeing form/javascript code, please add it. – Nic Nilov Jun 30 '16 at 23:16

1 Answers1

0

When the submitted auth token is missing or not matching the one in session, Rails does what protect_from_forgery with: specifies but the request handling is not terminated. What happens is session gets destroyed so request is handled as belonging to a non-logged in user.

Here is an excellent writeup discussing how protect_from_forgery works.

It's hard to tell without looking at the code but I'd say your form submission code either does not pickup the auth token input value or it becomes stale before the request is made. The latter can happen for in a number of scenarios such as page loaded from the browser cache or browser tabs used to login/logout in parallel with the page in question.

Nic Nilov
  • 5,056
  • 2
  • 22
  • 37