I'm using csrf_meta_tag and the the headers appears correctly. The problem
is when the athenticity_token has a plus sign and I use any of Jquery ajax
function. So I tried to render the form_authenticity_token already escaped
using that method above ( CGI.escape), but now the jquery ajax function
works and this line isn't working anymore(when i click):
<%= link_to "Destroy", [@client, address], :confirm => 'Are you sure?',
:method => :delete %>
After the click there ins't user session anymore:
Started POST "/clients/97" for 127.0.0.1 at Sat Apr 30 21:49:15 -0300 2011
Processing by ClientsController#destroy as HTML
Parameters:
{"authenticity_token"=>"MCVYdvbAS4i7BiRaDZig9VHXbxltKo84BgDT%2BTL28%2BI%3D",
"id"=>"97"}
When I use ajax is ok:
Started DELETE
"/clients/118/files/9?authenticity_token=MCVYdvbAS4i7BiRaDZig9VHXbxltKo84BgDT%2BTL28%2BI%3D"
for 127.0.0.1 at Sat Apr 30 21:48:52 -0300 2011
Processing by ClippingsController#destroy as JS
Parameters:
{"authenticity_token"=>"MCVYdvbAS4i7BiRaDZig9VHXbxltKo84BgDT+TL28+I=",
"id"=>"9,", "client_id"=>"118"}
In both cases the csrf header is exactly the same and i'm using the
CGI.escape method.
Any help ?
Thanks,
Ernesto
On Sat, Apr 30, 2011 at 9:27 AM, Frederick Cheung <
[email protected]> wrote:
>
>
> On 30 Apr 2011, at 12:48, Ernesto Rocha <[email protected]> wrote:
>
> I did some brute force only to test, like this:
>
> <meta name="csrf-param" content="authenticity_token"/>
> <meta name="csrf-token" content="<%= CGI.escape form_authenticity_token
> %>"/>
>
> some characters are escaped, but now the link_to ... :method => delete is
> not working anymore (the user session is killed).
>
> If I user URI.escape the plus sign is not escaped.
>
>
> How are you adding the authenticity token to the URL ? (Ps, rails has a
> csrf_meta_tag helper)
>
> Fred
>
> So, i'm still at point zero.
>
> Thanks,
> Ernesto
>
>
> On Fri, Apr 29, 2011 at 6:10 AM, Frederick Cheung
> <<[email protected]>
> [email protected]> wrote:
>
>>
>>
>> On Apr 29, 3:06 am, Ernesto Rocha <[email protected]> wrote:
>> > How i escape it before the rails server process it ?
>> >
>> You'll need to do that at the point that you add the token to the link
>>
>> Fred
>> > Thanks,
>> > Ernesto
>> >
>> > On Thu, Apr 28, 2011 at 4:58 AM, Frederick Cheung <
>> >
>> >
>> >
>> > [email protected]> wrote:
>> >
>> > > On 28 Apr 2011, at 03:22, Ernesto Rocha <[email protected]>
>> wrote:
>> >
>> > > Guys,
>> >
>> > > I'm using some AJAX on my application, but when protect_from_forgery
>> is on
>> > > sometimes it works and sometimes the user session is killed. Today i
>> found
>> > > out why.
>> >
>> > > It happens the following:
>> >
>> > > The authenticity_token is sent correctly as you can see below,
>> >
>> > > Started DELETE
>> > >
>> "/clients/118/files/20?authenticity_token=hoMH9/heaFWXWWy+aE1xKQcpf4xrLoVWG
>> qkq0pzzwuo="
>> > > for 127.0.0.1 at Wed Apr 27 23:06:50 -0300 2011
>> >
>> > > but, next line on server is,
>> >
>> > > Processing by ClippingsController#destroy as JS
>> > > Parameters: {"authenticity_token"=>"hoMH9/heaFWXWWy
>> > > aE1xKQcpf4xrLoVWGqkq0pzzwuo=", "id"=>"20,", "client_id"=>"118"}
>> >
>> > > as you can see, the plus sign ('+') turned into a white space. Once
>> the
>> > > token doesn't match the user session is killed.
>> >
>> > > Is someone experiencing this ? Any help how to fix it ?
>> >
>> > > + in urls means space - if the token genuinely contains + then you
>> need to
>> > > escape it before putting it in the URL.
>> >
>> > > Fred
>> >
>> > > Thanks,
>> > > Ernesto
>> >
>> > > --
>> > > You received this message because you are subscribed to the Google
>> Groups
>> > > "Ruby on Rails: Talk" group.
>> > > To post to this group, send email to
>> <[email protected]>[email protected].
>> > > To unsubscribe from this group, send email to
>> > > <rubyonrails-talk%[email protected]>
>> [email protected].
>> > > For more options, visit this group at
>> > > <http://groups.google.com/group/rubyonrails-talk?hl=en>
>> http://groups.google.com/group/rubyonrails-talk?hl=en.
>> >
>> > > --
>> > > You received this message because you are subscribed to the Google
>> Groups
>> > > "Ruby on Rails: Talk" group.
>> > > To post to this group, send email to
>> <[email protected]>[email protected].
>> > > To unsubscribe from this group, send email to
>> > > <rubyonrails-talk%[email protected]>
>> [email protected].
>> > > For more options, visit this group at
>> > > <http://groups.google.com/group/rubyonrails-talk?hl=en>
>> http://groups.google.com/group/rubyonrails-talk?hl=en.
>>
>> --
>> You received this message because you are subscribed to the Google Groups
>> "Ruby on Rails: Talk" group.
>> To post to this group, send email to <[email protected]>
>> [email protected].
>> To unsubscribe from this group, send email to
>> <rubyonrails-talk%[email protected]>
>> [email protected].
>> For more options, visit this group at
>> <http://groups.google.com/group/rubyonrails-talk?hl=en>
>> http://groups.google.com/group/rubyonrails-talk?hl=en.
>>
>>
> --
> You received this message because you are subscribed to the Google Groups
> "Ruby on Rails: Talk" group.
> To post to this group, send email to [email protected].
> To unsubscribe from this group, send email to
> [email protected].
> For more options, visit this group at
> http://groups.google.com/group/rubyonrails-talk?hl=en.
>
> --
> You received this message because you are subscribed to the Google Groups
> "Ruby on Rails: Talk" group.
> To post to this group, send email to [email protected].
> To unsubscribe from this group, send email to
> [email protected].
> For more options, visit this group at
> http://groups.google.com/group/rubyonrails-talk?hl=en.
>
--
You received this message because you are subscribed to the Google Groups "Ruby
on Rails: Talk" group.
To post to this group, send email to [email protected].
To unsubscribe from this group, send email to
[email protected].
For more options, visit this group at
http://groups.google.com/group/rubyonrails-talk?hl=en.
