Strange behavior

Guys,

I’m using some AJAX on my application, but when protect_from_forgery is
on
sometimes it works and sometimes the user session is killed. Today i
found
out why.

It happens the following:

The authenticity_token is sent correctly as you can see below,

Started DELETE
“/clients/118/files/20?authenticity_token=hoMH9/heaFWXWWy+aE1xKQcpf4xrLoVWGqkq0pzzwuo=”
for 127.0.0.1 at Wed Apr 27 23:06:50 -0300 2011

but, next line on server is,

Processing by ClippingsController#destroy as JS
Parameters: {“authenticity_token”=>“hoMH9/heaFWXWWy
aE1xKQcpf4xrLoVWGqkq0pzzwuo=”, “id”=>“20,”, “client_id”=>“118”}

as you can see, the plus sign (’+’) turned into a white space. Once the
token doesn’t match the user session is killed.

Is someone experiencing this ? Any help how to fix it ?

Thanks,
Ernesto

On 28 Apr 2011, at 03:22, Ernesto R. [email protected] wrote:

but, next line on server is,

Processing by ClippingsController#destroy as JS
Parameters: {“authenticity_token”=>“hoMH9/heaFWXWWy
aE1xKQcpf4xrLoVWGqkq0pzzwuo=”, “id”=>“20,”, “client_id”=>“118”}

as you can see, the plus sign (’+’) turned into a white space. Once the token
doesn’t match the user session is killed.

Is someone experiencing this ? Any help how to fix it ?

  • in urls means space - if the token genuinely contains + then you need
    to escape it before putting it in the URL.

Fred

How i escape it before the rails server process it ?

Thanks,
Ernesto

On Thu, Apr 28, 2011 at 4:58 AM, Frederick C. <

On Apr 29, 3:06am, Ernesto R. [email protected] wrote:

How i escape it before the rails server process it ?

You’ll need to do that at the point that you add the token to the link

Fred

On 30 Apr 2011, at 12:48, Ernesto R. [email protected] wrote:

I did some brute force only to test, like this:

some characters are escaped, but now the link_to … :method => delete is not
working anymore (the user session is killed).

If I user URI.escape the plus sign is not escaped.

How are you adding the authenticity token to the URL ? (Ps, rails has a
csrf_meta_tag helper)

Fred

I’m using csrf_meta_tag and the the headers appears correctly. The
problem
is when the athenticity_token has a plus sign and I use any of Jquery
ajax
function. So I tried to render the form_authenticity_token already
escaped
using that method above ( CGI.escape), but now the jquery ajax function
works and this line isn’t working anymore(when i click):

<%= link_to “Destroy”, [@client, address], :confirm => ‘Are you sure?’,
:method => :delete %>

After the click there ins’t user session anymore:

Started POST “/clients/97” for 127.0.0.1 at Sat Apr 30 21:49:15 -0300
2011
Processing by ClientsController#destroy as HTML
Parameters:
{“authenticity_token”=>“MCVYdvbAS4i7BiRaDZig9VHXbxltKo84BgDT%2BTL28%2BI%3D”,
“id”=>“97”}

When I use ajax is ok:

Started DELETE
“/clients/118/files/9?authenticity_token=MCVYdvbAS4i7BiRaDZig9VHXbxltKo84BgDT%2BTL28%2BI%3D”
for 127.0.0.1 at Sat Apr 30 21:48:52 -0300 2011
Processing by ClippingsController#destroy as JS
Parameters:
{“authenticity_token”=>“MCVYdvbAS4i7BiRaDZig9VHXbxltKo84BgDT+TL28+I=”,
“id”=>“9,”, “client_id”=>“118”}

In both cases the csrf header is exactly the same and i’m using the
CGI.escape method.

Any help ?

Thanks,
Ernesto

On Sat, Apr 30, 2011 at 9:27 AM, Frederick C. <

Sorry about this mess, but I just figured it out what was really
happening
and fixed it.

Rails probably always interpret the plus sign as a white space, but
everything started because I couldn’t find how the authenticity_token is
sent using <%= link_to “Destroy”, [@client, address], :confirm => ‘Are
you
sure?’, :method => :delete %>, initially I thought it was sent without
any
encoding. So I couldn’t say the difference between the request generated
by
the link_to method and my ajax request ( Started DELETE
“/clients/118/files/20?authenticity_token=hoMH9/heaFWXWWy+aE1xKQcpf4xrLoVWGqkq0pzzwuo=”
for 127.0.0.1 at Wed Apr 27 23:06:50 -0300 2011 ).

I think Rails under the hood encode the authenticity_token before
sending
it. So, now i’m doing it on javascript:

token_param = “authenticity_token=” + encodeURIComponent(token);

And this generates: “authenticity_token=
hoMH9%2FheaFWXWWy%2BaE1xKQcpf4xrLoVWGqkq0pzzwuo%3D”

Then, it’s solved! Thanks for all the help!

Ernesto

You can use url_encode() helper in rails. For me, it solved the plus
signs in URL problem.

for debugging purposes, you may set config/initializers/session_store.rb
like this:

ActionController::Base.session = {
:key => somekey,
:secret => somesecret,
:expire_after => 1.minute
}

So authentication_token changes every minute.
Check your browser to see cookie expire dates.

I’m using rails 2.3.10

I did some brute force only to test, like this:

some characters are escaped, but now the link_to … :method => delete
is
not working anymore (the user session is killed).

If I user URI.escape the plus sign is not escaped.

So, i’m still at point zero.

Thanks,
Ernesto

On Fri, Apr 29, 2011 at 6:10 AM, Frederick C. <

This forum is not affiliated to the Ruby language, Ruby on Rails framework, nor any Ruby applications discussed here.

| Privacy Policy | Terms of Service | Remote Ruby Jobs