Stack Overflow
Stack Overflow

Questions tagged [authenticity-token]

AuthenticityToken is a feature of Ruby on Rails used to protect against CSRF

81 questions
6
votes
2 answers

Is disabling CSRF protection sometimes justified?

I'm thinking of login forms in particular: By their nature, login forms block action on arbitrary input — without a valid username and password, you just get bounced. Is there a reason why these even need the addition of authenticity_token or…
Andrew Vit
  • 18,961
  • 6
  • 77
  • 84
6
votes
1 answer

CSRF Token Session gets reset

I'm using Rails 3.2.3 along with the active_record_store for my session. What I understand is that the CSRF token in rails is stored in a session and should not be reset unless reset_session is called or for some reason the session is destroyed. But…
Ravi
  • 101
  • 9
5
votes
1 answer

How can I get a valid Authenticity Token with my Rails Console?

I am trying to use my rails console to call a public post method in my controller. rails c app.post '/servers/important_method' This obviously gives me: ActionController::InvalidAuthenticityToken (ActionController::InvalidAuthenticityToken): Is…
Joe Eifert
  • 1,306
  • 14
  • 29
5
votes
1 answer

Rails 4 Ajax request with no authenticity token

I am sending some very simple ajax post and patch requests via javascript in my application. The functionality is fine, works as intended. However, I do not see the authenticity token in the ajax request params and it still works. javascript…
Matt Ramirez
  • 673
  • 6
  • 19
5
votes
1 answer

Authenticity_token in Rails + Android

I am developing an Android application that communicates with a rails server. I don't want to ignore the authenticity_token but I also don't think asking for it is the right answer. What can be done to protect my POST requests?
jmpenetra
  • 170
  • 9
4
votes
1 answer

API/JSON: Can't verify CSRF token authenticity

I'm trying to build a JSON API for my Rails application, and have written the following method: def create organization = Organization.find(params[:organization][:node_id]) node = organization.nodes.build(nodes_params.except[:id]) if…
Nick
  • 3,496
  • 7
  • 42
  • 96
4
votes
2 answers

Rails request forgery protection settings

please help a newbie in Rails :) I have protect_from_forgery call (which is given by default) with no attributes in my ApplicationController class. Basically here's the code: class ApplicationController < ActionController::Base helper :all #…
Vitaly
  • 2,567
  • 5
  • 29
  • 34
4
votes
2 answers

How can you use Rails AuthenticityToken infrastructure to explicitly protect a GET action

Rails AuthenticityToken automatically protects POST/PUT/DELETE requests from CSRF attacks. But I have another use case in mind. I am showing a video on my site that I don't want to be embeddable on other sites. How this works is that my flash…
gtd
  • 16,956
  • 6
  • 49
  • 65
3
votes
1 answer

How do I handle iPhone requests to a Ruby on Rails backend?

We are creating mobile support for our ruby on rails website, and ran into the problems of handling authenticity tokens. As previous articles have mentioned, authenticity tokens are created on the rails server when a form is created then placed on a…
palidanx
  • 31
  • 1
3
votes
2 answers

Rails 3.1 authenticity_token + uploadify

I am trying to use Uploadify with my Rails 3.1 app, i've went through all the steps (middleware, initializers, config ...etc) and i think they are all working good but for one thing, my authenticity token is being "evaluated" somewhere in the…
Rami GB
  • 789
  • 1
  • 8
  • 19
3
votes
0 answers

How can I check in Rails controller if InvalidAuthenticityToken error was raised from session expiry?

I would like to be able to rescue this error and do stuff in some specific controllers, only if it was raised because of session expiry (set to 24h in session_store.rb). Is there a way to know the difference between session expiry and an actual CSRF…
Ouhbelle
  • 33
  • 4
3
votes
2 answers

How to handle Invalid Authenticity Token json request from application controller in rails

When user tries to fill form using script or automation, application controller raises error of the "ActionController::InvalidAuthenticityToken" This happens for valid genuine users when they fill a form, close their browser, reopens the page…
Akash Kinwad
  • 704
  • 2
  • 7
  • 22
3
votes
1 answer

InvalidAuthenticityToken in Rails Shopify app

I have a Shopify app using the shopify_app gem. I am attempted to post a form to an admin page but keep receiving a InvalidAuthenticityToken. I am using Rails 5.1.6 and have set config.action_controller.per_form_csrf_tokens = false to help identify…
user346443
  • 4,672
  • 15
  • 57
  • 80
3
votes
1 answer

Rails InvalidAuthenticityToken with HTTPS + ELB

I'm trying to get HTTPS to work for my site, but I'm getting ActionController::InvalidAuthenticityToken for all post requests. I logged the form_authenticity_param and form_authenticity_tokenand they are in fact different. The SSL is resolved at the…
oniiko
  • 41
  • 6
3
votes
1 answer

Ruby on Rails 3 InvalidAuthenticityToken With REST Calls

I'm just putting together a simple web application in Ruby on Rails 3 RC and I'm a bit stumped with the forgery protection. I plan to have a web interface as well as allow XML API calls from an iPhone app. I'm currently testing this with a REST…
Dave Finster
  • 88
  • 5
1
2
3 4 5 6