Authenticity token lying around

I’ve attached an Ajax POST request to a link. The request is failing
(InvalidAuthenticityToken) because I’m not sending the authenticity
token with it.

Searching the forums led me to these two methods…

request_forgery_protection_token

… and…

form_authenticity_token

Which I can use to generate the necessary information on my HTML pages.
However, because I am not building a complete form for this request, I
thought I would place the information into an arbitrary input field, but
I’m not sure where.

For the sake of being practical and consistent, I thought the footer a
good place. Example…

Copyright...

With that in place I can reference it via JavaScript as needed.

I don’t think having the authenticity token on every page is less
secure than having it on some pages.

Does anyone feel differently?

How are you creating the ajax request. Helpers like link_to_remote
should already include the authenticity token. Similarly you can use
remote_function if you need to mix it into other js and that helper
gives you the authenticity token as well.

On Apr 1, 6:51 pm, Daniel W. [email protected]

AndyV wrote:

How are you creating the ajax request.

With jQuery.

Helpers like link_to_remote
should already include the authenticity token. Similarly you can use
remote_function if you need to mix it into other js and that helper
gives you the authenticity token as well.

True, they do, but I don’t want to mix JavaScript into my HTML – even
if it’s only visible once the page is rendered (i.e. view source).

I also prefer to keep my JavaScript in .js files.

Thanks for the suggestions though. I’ve gone ahead and done as I
described above: put the authenticity token into a hidden field in my
footer. It works as expected and I don’t foresee any issues.

On Wed, Apr 2, 2008 at 2:38 PM, Daniel W.
[email protected] wrote:

gives you the authenticity token as well.

True, they do, but I don’t want to mix JavaScript into my HTML – even
if it’s only visible once the page is rendered (i.e. view source).

I also prefer to keep my JavaScript in .js files.

Thanks for the suggestions though. I’ve gone ahead and done as I
described above: put the authenticity token into a hidden field in my
footer. It works as expected and I don’t foresee any issues.

You could also set something like window.authenticityToken = ‘<%=
form_authenticity_token %>’;

Having it in every page is not a problem. The token is based on your
session id and is unique for everyone. It doesn’t replace
authentication in anyway.


Rick O.
http://lighthouseapp.com
http://weblog.techno-weenie.net
http://mephistoblog.com

Rick O. wrote:

You could also set something like window.authenticityToken = ‘<%=
form_authenticity_token %>’;

Having it in every page is not a problem. The token is based on your
session id and is unique for everyone. It doesn’t replace
authentication in anyway.

Ah, I like that! Setting it in JavaScript makes even more sense!

Good one, Rick. Thanks.

This forum is not affiliated to the Ruby language, Ruby on Rails framework, nor any Ruby applications discussed here.

| Privacy Policy | Terms of Service | Remote Ruby Jobs