Hi Max,
The strategy I usually follow is catch the error, log it (and check
logs periodically to make sure it's not really an xss attack), set a
msg for the user about the problem, and then redirect the user back to
where they came from, something along the lines of (in app/controllers/
application_controller.rb):
...
rescue_from
ActionController::InvalidAuthenticityToken, :with=>:bad_auth_token
...
def get_in_app_referer_url
ref_url = request.referer
# or some default if not coming from in app?
ref_url = "/" if ref_url.blank? or ...
return ref_url
end
def bad_auth_token
# log it.
logger.warn("....")
# notify user.
flash[:err] = "...."
# send them back to try again.
redirect_to(get_in_app_referer_url)
return
end
...
Jeff
On Apr 14, 4:53 am, Max Williams <[email protected]> wrote:
> hey all. I'm using the hidden authenticity_token system in my rails
> app. This is designed as a security measure but sometimes it kicks off
> in response to fairly innocent user actions like clicking the back
> button and then submitting a form, or submitting a form after the server
> has just been restarted, or whatever.
>
> That's not really important (i don't want to debate whether the above
> should cause authenticity token fails). What is important is that it's
> going to happen sometimes in response to non-hostile user actions, and
> when it happens i don't want it to result in a crash screen for the
> user: instead, something more friendly should happen.
>
> I'm catching the exception with rescue_from, so from a technical point
> of view i'm good, but now i can't work out what the best thing to
> actually *do* is. What i'm doing as a baseline is just sending them to
> the homepage with an error message in flash[:error]. This works from a
> security point of view, and is much better than a 500 page, but i feel
> like i could do something better. Any ideas? Is there a standard
> practise for this?
>
> grateful for any advice - max
> --
> Posted viahttp://www.ruby-forum.com/.
--
You received this message because you are subscribed to the Google Groups "Ruby
on Rails: Talk" group.
To post to this group, send email to [email protected].
To unsubscribe from this group, send email to
[email protected].
For more options, visit this group at
http://groups.google.com/group/rubyonrails-talk?hl=en.
