Stack Overflow
Stack Overflow

Questions tagged [authenticity-token]

AuthenticityToken is a feature of Ruby on Rails used to protect against CSRF

81 questions
3
votes
1 answer

Rails InvalidAuthenticityToken at random times

Here is the deal. Our application is working and is being used by writers to send in content for the web site. Problem is, from times to times, our writers get an error after submiting the form for any rescource in the site. The error after checking…
Draiken
  • 3,805
  • 2
  • 30
  • 48
3
votes
1 answer

Testing controller methods protected from forgery in Rails

I'm trying to test a method I have in my application, but I don't know how to unit test a method that is being protected from forgery, take a look at this: def index @alumnos = Alumno.paginate :per_page => 20, :page => params[:page],…
MexicanHacker
  • 2,685
  • 3
  • 19
  • 20
3
votes
1 answer

Remove div from authenticity_token in Rails?

How can I remove the div from authenticity_token in Ruby on Rails? Thanks.
Gabriel Bianconi
  • 1,179
  • 3
  • 19
  • 37
3
votes
1 answer

Rails Devise login using curl

I'm trying to login to devise using curl as follows: curl -v -b cookie.file -c cookie.file -H "Content-Type: application/json" -X POST -d '{"user" : {"email":"MYUSER" , "password":"MYPASSWORD" }}'…
random
  • 10,238
  • 8
  • 57
  • 101
2
votes
1 answer

Received WARNING: Can't verify CSRF token authenticity after upgraded from Rails 3.0.2 to 3.1

Searched around for a while, the common solution to it is to insert <%= csrf_meta_tags %> to layout header. However, it makes no difference. Installing jquery-rails doesn't help either Rails 3.1.0 Ruby 1.9.2 Mongoid 2.2.0 Another weird thing after…
aquajach
  • 2,548
  • 2
  • 23
  • 29
2
votes
0 answers

best way to deal with bots in rails

We get bombarded with random POSTs and GETs, mostly they 500 b/c of invalid authenticity token (the POSTs): Started POST "/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php" for 45.146.165.123 at 2021-06-29 04:15:39 -0400 I,…
user1130176
  • 1,772
  • 1
  • 23
  • 33
2
votes
0 answers

login to web page using authenticity token with curl

i'm trying to create a custom program (or a script) to login to a web page and then download a file. The login page has a form with 2 text fields (username and password) and a hidden field "authenticity_token". I've read about authenticity token. I…
John d.
  • 71
  • 5
2
votes
3 answers

Handling CSRF authenticity token for navigator.sendBeacon requests in rails

$(window).on('unload', function() { db.flipCounter.get(gon.slug, function(obj) { var payload = { slug: gon.slug, localFlipCount: obj.fc, time: Date.now() } …
Marvin Danig
  • 3,738
  • 6
  • 39
  • 71
2
votes
0 answers

Random POST requests cause Devise RegistrationsController#create to throw ActionController::InvalidAuthenticityToken

I am getting random ActionController::InvalidAuthenticityToken exceptions in production roughly every 30 minutes. Devise's RegistrationsController picks up POST requests to / because of the custom devise route (from this tutorial). Signing up with…
simonlehmann
  • 852
  • 1
  • 10
  • 27
2
votes
2 answers

How to share sessions between subdomains with Rails 2.3.8

I have found numerous posts that describe how to do this. They all look something like putting this in the appropriate environment config file: config.action_controller.session[:domain] = '.localhost' However, if I do this then trying to sign in…
eksatx
  • 1,023
  • 2
  • 10
  • 15
2
votes
2 answers

Ruby on Rails: Difference of Authenticity Token being in Header or POST

I've just noticed it doesn't matter where I put my Authenticity Token when submitting a request via AJAX. I can either append it to the form as POST data, or put it into the Header. Is there any difference? Especially regarding security?…
Sebastian
  • 1,593
  • 4
  • 26
  • 41
2
votes
1 answer

Why are Rails Authenticity Tokens session persistent and not unique to each submission?

I'm wondering why Rails form Authenticity Tokens last the entire session instead of being generated uniquely per each submission. I'm coming from web2py, where forms are generated with unique one-time tokens called _formkey. The formkey…
Yarin
  • 173,523
  • 149
  • 402
  • 512
2
votes
1 answer

POST request on Rails backend from iPhone

I wanted to perform a POST request to my rails backend from my iPhone app. However, I don't have access to the authenticity token, which prevents me from performing this operation. I was looking through some resources on the internet and I found…
Renan
  • 1,910
  • 4
  • 22
  • 36
1
vote
1 answer

Rails form_authenticity_token not regenerating after POST request

I was under the impression that Rails will regenerate the form_authenticity_token after any POST, PUT, or DELETE action. But for some reason, after a successful POST to the users resource the form_authenticity_token does not regenerate. I'm free to…
Daniel Doezema
  • 1,592
  • 10
  • 13
1
vote
2 answers

Work with authenticity token? Or disable it?

My mini-web-appliance will submit data samples to a RoR app, which will add them to a MySQL table. I figured out how to form the POST data packet, but what I don't get is how to avoid the authenticity-token problem. Is there a way for my little dumb…
HDL Nerd for Hire
  • 41
  • 3
1 2
3
4 5 6