Question on authenticity tokens

Does anyone find them useful? I can see them being good in some cases,
but I have many exceptions that occur because of expired sessions. I am
also not sure if they are really required for pages that require a login
to access.

The other place that they cause issues is in javascript requests. I am
not using the built-in helpers, and all the javascript exists in
separate js files. There is ways to get around this, but they are
sloppy.

Is there a way to turn them off?

Here is an example of the the code requires the token. If anyone knows
an easy way to solve the problem please let me know.

$(document).ready(function(){
$(".photos img").draggable();
$("#trash").droppable({
accept: “img”,
drop: function(ev, ui){
var url = window.location + “/photos/” + ui.draggable.attr(“id”);
$.post(url, {’_method’: “delete”, ‘authenticity_token’:
“need_the_users_token_here”}, function(){
$(ui.draggable).remove();
});
return false;
}
});
});

On 7 May 2008, at 18:31, Chris O. wrote:

am
not using the built-in helpers, and all the javascript exists in
separate js files. There is ways to get around this, but they are
sloppy.

Is there a way to turn them off?
It’s turned on by the protect_from_forgery line in your
application.rb. The rdoc for that method should you how to have it
enabled only for some stuff and how to generate the token

Fred

My ramblings: http://www.spacevatican.org

Hey Fred,
Thanks for the info.

As mentioned in the protect_from_forgery docs, setting a window._token
var in the application template file allows for one to easily pass the
token.

ex
$.post(url, {’_method’: “delete”, ‘authenticity_token’: window._token},
function(){

For one small live app I get the occasional exception email notifying me
that someones authentication token expired. I have never been able to
replicate this exception. Does anyone know if the user is getting
slapped with a 422, or are they just being redirected to the login page?

Thanks.

Frederick C. wrote:

On 7 May 2008, at 18:31, Chris O. wrote:

am
not using the built-in helpers, and all the javascript exists in
separate js files. There is ways to get around this, but they are
sloppy.

Is there a way to turn them off?
It’s turned on by the protect_from_forgery line in your
application.rb. The rdoc for that method should you how to have it
enabled only for some stuff and how to generate the token

Fred

My ramblings: http://www.spacevatican.org

This forum is not affiliated to the Ruby language, Ruby on Rails framework, nor any Ruby applications discussed here.

| Privacy Policy | Terms of Service | Remote Ruby Jobs