Sorry about this mess, but I just figured it out what was really happening and fixed it.
Rails probably always interpret the plus sign as a white space, but everything started because I couldn't find how the authenticity_token is sent using <%= link_to "Destroy", [@client, address], :confirm => 'Are you sure?', :method => :delete %>, initially I thought it was sent without any encoding. So I couldn't say the difference between the request generated by the link_to method and my ajax request ( Started DELETE "/clients/118/files/20?authenticity_token=hoMH9/heaFWXWWy+aE1xKQcpf4xrLoVWGqkq0pzzwuo=" for 127.0.0.1 at Wed Apr 27 23:06:50 -0300 2011 ). I think Rails under the hood encode the authenticity_token before sending it. So, now i'm doing it on javascript: token_param = "authenticity_token=" + encodeURIComponent(token); And this generates: "authenticity_token= hoMH9%2FheaFWXWWy%2BaE1xKQcpf4xrLoVWGqkq0pzzwuo%3D" Then, it's solved! Thanks for all the help! Ernesto On Sat, Apr 30, 2011 at 9:56 PM, Ernesto Rocha <[email protected]>wrote: > I'm using csrf_meta_tag and the the headers appears correctly. The problem > is when the athenticity_token has a plus sign and I use any of Jquery ajax > function. So I tried to render the form_authenticity_token already escaped > using that method above ( CGI.escape), but now the jquery ajax function > works and this line isn't working anymore(when i click): > > <%= link_to "Destroy", [@client, address], :confirm => 'Are you sure?', > :method => :delete %> > > After the click there ins't user session anymore: > > Started POST "/clients/97" for 127.0.0.1 at Sat Apr 30 21:49:15 -0300 2011 > Processing by ClientsController#destroy as HTML > Parameters: > {"authenticity_token"=>"MCVYdvbAS4i7BiRaDZig9VHXbxltKo84BgDT%2BTL28%2BI%3D", > "id"=>"97"} > > > When I use ajax is ok: > > Started DELETE > "/clients/118/files/9?authenticity_token=MCVYdvbAS4i7BiRaDZig9VHXbxltKo84BgDT%2BTL28%2BI%3D" > for 127.0.0.1 at Sat Apr 30 21:48:52 -0300 2011 > Processing by ClippingsController#destroy as JS > Parameters: > {"authenticity_token"=>"MCVYdvbAS4i7BiRaDZig9VHXbxltKo84BgDT+TL28+I=", > "id"=>"9,", "client_id"=>"118"} > > In both cases the csrf header is exactly the same and i'm using the > CGI.escape method. > > Any help ? > > Thanks, > Ernesto > > > On Sat, Apr 30, 2011 at 9:27 AM, Frederick Cheung < > [email protected]> wrote: > >> >> >> On 30 Apr 2011, at 12:48, Ernesto Rocha <[email protected]> wrote: >> >> I did some brute force only to test, like this: >> >> <meta name="csrf-param" content="authenticity_token"/> >> <meta name="csrf-token" content="<%= CGI.escape form_authenticity_token >> %>"/> >> >> some characters are escaped, but now the link_to ... :method => delete is >> not working anymore (the user session is killed). >> >> If I user URI.escape the plus sign is not escaped. >> >> >> How are you adding the authenticity token to the URL ? (Ps, rails has a >> csrf_meta_tag helper) >> >> Fred >> >> So, i'm still at point zero. >> >> Thanks, >> Ernesto >> >> >> On Fri, Apr 29, 2011 at 6:10 AM, Frederick Cheung >> <<[email protected]> >> [email protected]> wrote: >> >>> >>> >>> On Apr 29, 3:06 am, Ernesto Rocha <[email protected]> wrote: >>> > How i escape it before the rails server process it ? >>> > >>> You'll need to do that at the point that you add the token to the link >>> >>> Fred >>> > Thanks, >>> > Ernesto >>> > >>> > On Thu, Apr 28, 2011 at 4:58 AM, Frederick Cheung < >>> > >>> > >>> > >>> > [email protected]> wrote: >>> > >>> > > On 28 Apr 2011, at 03:22, Ernesto Rocha <[email protected]> >>> wrote: >>> > >>> > > Guys, >>> > >>> > > I'm using some AJAX on my application, but when protect_from_forgery >>> is on >>> > > sometimes it works and sometimes the user session is killed. Today i >>> found >>> > > out why. >>> > >>> > > It happens the following: >>> > >>> > > The authenticity_token is sent correctly as you can see below, >>> > >>> > > Started DELETE >>> > > >>> "/clients/118/files/20?authenticity_token=hoMH9/heaFWXWWy+aE1xKQcpf4xrLoVWG >>> qkq0pzzwuo=" >>> > > for 127.0.0.1 at Wed Apr 27 23:06:50 -0300 2011 >>> > >>> > > but, next line on server is, >>> > >>> > > Processing by ClippingsController#destroy as JS >>> > > Parameters: {"authenticity_token"=>"hoMH9/heaFWXWWy >>> > > aE1xKQcpf4xrLoVWGqkq0pzzwuo=", "id"=>"20,", "client_id"=>"118"} >>> > >>> > > as you can see, the plus sign ('+') turned into a white space. Once >>> the >>> > > token doesn't match the user session is killed. >>> > >>> > > Is someone experiencing this ? Any help how to fix it ? >>> > >>> > > + in urls means space - if the token genuinely contains + then you >>> need to >>> > > escape it before putting it in the URL. >>> > >>> > > Fred >>> > >>> > > Thanks, >>> > > Ernesto >>> > >>> > > -- >>> > > You received this message because you are subscribed to the Google >>> Groups >>> > > "Ruby on Rails: Talk" group. >>> > > To post to this group, send email to >>> <[email protected]>[email protected]. >>> > > To unsubscribe from this group, send email to >>> > > <rubyonrails-talk%[email protected]> >>> [email protected]. >>> > > For more options, visit this group at >>> > > <http://groups.google.com/group/rubyonrails-talk?hl=en> >>> http://groups.google.com/group/rubyonrails-talk?hl=en. >>> > >>> > > -- >>> > > You received this message because you are subscribed to the Google >>> Groups >>> > > "Ruby on Rails: Talk" group. >>> > > To post to this group, send email to >>> <[email protected]>[email protected]. >>> > > To unsubscribe from this group, send email to >>> > > <rubyonrails-talk%[email protected]> >>> [email protected]. >>> > > For more options, visit this group at >>> > > <http://groups.google.com/group/rubyonrails-talk?hl=en> >>> http://groups.google.com/group/rubyonrails-talk?hl=en. >>> >>> -- >>> You received this message because you are subscribed to the Google Groups >>> "Ruby on Rails: Talk" group. >>> To post to this group, send email to <[email protected]> >>> [email protected]. >>> To unsubscribe from this group, send email to >>> <rubyonrails-talk%[email protected]> >>> [email protected]. >>> For more options, visit this group at >>> <http://groups.google.com/group/rubyonrails-talk?hl=en> >>> http://groups.google.com/group/rubyonrails-talk?hl=en. >>> >>> >> -- >> You received this message because you are subscribed to the Google Groups >> "Ruby on Rails: Talk" group. >> To post to this group, send email to [email protected]. >> To unsubscribe from this group, send email to >> [email protected]. >> For more options, visit this group at >> http://groups.google.com/group/rubyonrails-talk?hl=en. >> >> -- >> You received this message because you are subscribed to the Google Groups >> "Ruby on Rails: Talk" group. >> To post to this group, send email to [email protected]. >> To unsubscribe from this group, send email to >> [email protected]. >> For more options, visit this group at >> http://groups.google.com/group/rubyonrails-talk?hl=en. >> > > -- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en.
