Stack Overflow
Stack Overflow

Questions tagged [protect-from-forgery]

33 questions
131
votes
8 answers

Rails CSRF Protection + Angular.js: protect_from_forgery makes me to log out on POST

If the protect_from_forgery option is mentioned in application_controller, then I can log in and perform any GET requests, but on very first POST request Rails resets the session, which logs me out. I turned the protect_from_forgery option off…
Paul
  • 25,812
  • 38
  • 124
  • 247
10
votes
1 answer

CSRF Protection with HTTP GET requests in Rails

I understand that Rails by default doesn't have CSRF protection for HTTP GET requests, because, it claims they are idempotent. However, there is sensitive information that is returned to the user from these GET requests, and, I would't want a…
Aayush Kumar
  • 1,618
  • 1
  • 11
  • 31
10
votes
3 answers

How to turn off rails protect_from_forgery filter only for json

I have web site built with Rails3 and now I want to implement json API for mobile client access. However, sending json post request from the client because of the protect_from_forgery filter. Because the client will not retrieve any data from the…
katsuya
  • 1,204
  • 3
  • 16
  • 21
10
votes
4 answers

Can't verify CSRF token authenticity Rails/React

I have a react component in my rails app where I'm trying to use fetch() to send a POST to my rails app hosted on localhost, this gives me the error: ActionController::InvalidAuthenticityToken (ActionController::InvalidAuthenticityToken): I'm using…
robinmanz
  • 361
  • 1
  • 5
  • 17
6
votes
1 answer

Rails 3 protect_from_forgery problems

I have two applications that need to talk to each other over HTTP. One is a PHP app and the other is my main app, the Rails app. I am needing the PHP app to talk to the Rails app by POSTing data to it, but when I do, I receive the Invalid…
dennismonsewicz
  • 25,132
  • 33
  • 116
  • 189
5
votes
2 answers

Rails 3 protect_from_forgery not working correctly?

I am using Rails 3.0.2 which has protect_from_forgery by default in application_controller.rb. I wanted to trigger an InvalidAuthenticityToken. To do this I have added this javascript to my page: …
Diego
  • 218
  • 2
  • 7
5
votes
2 answers

CSRF detected error message on refreshing webpage

I am working on a Rails application where details are fetched from facebook. I have fetched the details from facebook. But when I refresh the webpage I got an error called CSRF detected. I have used some methods but all of them have failed. The…
NIkhil D Anand
  • 97
  • 1
  • 9
5
votes
1 answer

InvalidAuthenticityToken errors in mobile

I have read multiple questions and answers here on StackOverflow about InvalidAuthenticityToken and protect_from_forgery but get none the wiser. I have a website that get hundreds of these errors every day. They seem to be mainly (only?) from…
Christoffer
  • 2,271
  • 3
  • 26
  • 57
5
votes
1 answer

Is Rails' protect_from_forgery really useful?

I'm asking this because I feel that it's making my life overly complicated when I start communicating with rails using ajax or flash. I know it's nice to protect against CSRF, but couldn't I just check the referer or something instead?
marcgg
  • 65,020
  • 52
  • 178
  • 231
4
votes
2 answers

Ruby-on-rails test raising InvalidCrossOriginRequest when rendering a JS view

I am testing a controller which has actions rendering views in format .js.erb . The tests on these actions raise the following error : Minitest::UnexpectedError: ActionController::InvalidCrossOriginRequest: Security warning: an embedded tag on…
V. Déhaye
  • 493
  • 6
  • 20
4
votes
2 answers

Rails request forgery protection settings

please help a newbie in Rails :) I have protect_from_forgery call (which is given by default) with no attributes in my ApplicationController class. Basically here's the code: class ApplicationController < ActionController::Base helper :all #…
Vitaly
  • 2,567
  • 5
  • 29
  • 34
3
votes
1 answer

CSRF token problem on requests from outside the browser to a Rails server

I need to make an HTTP POST request from outside the browser, but the Rails back-end is not accepting the authentication (error 401). I know I need to pass a CSRF token in such cases, but it's not working. When I make the request through a form on a…
André Lima
  • 651
  • 1
  • 6
  • 11
3
votes
2 answers

Rails 3, protect_from_forgery and IE8 problems

I have a rails app that all works fine for me in all browsers (Safari, Firefox, IE6, 7, 8 etc) I have a new user who has a fairly locked down version of IE8 and as soon as they try to access the app, before they even get to the login page, they get…
John Polling
  • 2,272
  • 2
  • 21
  • 21
3
votes
1 answer

use protect_from_forgery with: :exception but redirect user to login page if session expired

I have a Rails application with login function which I have protect_from_forgery with: :exception set on application_controller.rb. I had encountered a problem where some user had been shown the exception page when they do the following…
user3920567
  • 91
  • 9
3
votes
1 answer

asp.net and Cross Site Request Forgery

We recently ran an Appscan aganist an application and on a few pages the report shows: The following changes were applied to the original request: Set HTTP header to 'http://bogus.referer.ibm.com' Reasoning: The same request was sent twice in…
Paritosh
  • 4,243
  • 7
  • 47
  • 80
1
2 3