rails 3 protect_from_forgery not doing anything

Question

I tried to fake forgery request in my rails 3.0.8 app with no success

I have regular form and I changed the auth key with Tamper before submit it at this point I would expect rails to reset the session and therefor signout the current_user however it didn't happen, the action completed successfully and the user stay signed in

I have the protect_from_forgery statement in my application controller and I tried to change config.consider_all_requests_local to false

score 6 · Answer 1 · answered Jul 05 '11 at 22:35

6

Indeed... it does something but you have to code it.

The previous behavior was removed, it's a controversial decision but you can get it back including the following code in your ApplicationController:

def handle_unverified_request
  #add here code to empty the session
  raise ActionController::InvalidAuthenticityToken
end

answered Jul 05 '11 at 22:35

apneadiving

114,565
26
219
213

the current behavior should be that handle_unverified_request? reset session, and it doesn't do that – gilsilas Jul 05 '11 at 22:53
In addition, I tried your code and it still doesn't change anything – gilsilas Jul 05 '11 at 22:55
just found this: http://stackoverflow.com/questions/6090063/rails-3-protect-from-forgery-not-working-correctly I don't know why your app isn't working – apneadiving Jul 05 '11 at 23:07
The problem was just a bug in the Firefox Tamper plugin. the session is reset now when expected too. – gilsilas Jul 05 '11 at 23:28
Ouch... Time wasted then. I understand I answered your question? – apneadiving Jul 05 '11 at 23:54

rails 3 protect_from_forgery not doing anything

1 Answers1