On Thu, Jan 10, 2013 at 4:18 AM, Jeff Miller <[email protected]> wrote:
> Hello all, > I've been trying to diagnose an issue with CSRF and Firefox > specifically. I've got an ajax based form, using UJS (yes, I have > csrf_meta_tag in my layout and I've tried adding the X-CSRF-Token header > to the ajax beforeSend events without any luck)... Instead of sending it as part of the header, have you tried sending it as part of the data? I'm not sure if it will make any difference (it should not) but it won't hurt to try. > The form just posts > some data to an ajax method that creates, saves, and sets the session > for a shopper as well as for a hit object, then returns some JSON. This > works in Chrome and Safari (haven't tested IE yet), but Firefox is a > no-go. Basically, the session gets reset by CSRF (I confirmed this by > setting config.action_controller.allow_forgery_protection to false and > it works), but the weird thing is that upon inspecting the session, I DO > have a hit_id, but no shopper_id!! This completely breaks my form and is > frustrating as hell :P > > I'm running on Rails 3.2.11 and Ruby 1.9.3p327. Any and all help would > be appreciated! > > -- > Posted via http://www.ruby-forum.com/. > > -- > You received this message because you are subscribed to the Google Groups > "Ruby on Rails: Talk" group. > To post to this group, send email to [email protected]. > To unsubscribe from this group, send email to > [email protected]. > For more options, visit https://groups.google.com/groups/opt_out. > > > -- ------------------------------------------------------------- visit my blog at http://jimlabs.heroku.com -- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
