Forum: Ruby on Rails authenticity_token sent, still InvalidAuthenticityToken

Announcement (2017-05-07): www.ruby-forum.com is now read-only since I unfortunately do not have the time to support and maintain the forum any more. Please see rubyonrails.org/community and ruby-lang.org/en/community for other Rails- und Ruby-related community platforms.
Ca6208c0ab0061ded967ce0d4afa5e71?d=identicon&s=25 Anjan Tek (t_anjan)
on 2008-10-10 14:29
Hi!

To send the authenticity token from flex back to the server, I followed
this:
http://blog.dt.org/index.php/2008/06/rails-2-flex-...

I have two controllers in my rails app. The method described in the link
above works with the actions in one controller, but does not work with
the other.

The controller which does not work has just one action which performs a
file upload. In this controller, if I don't put "skip_before_filter
:verify_authenticity_token" at the top, the file upload doesn't work. I
have pasted the upload action below:

def upload_image
    directory = "public" + params[ :temp_Image_Location ].to_s
    pRandomFileName = params[ :random_File_Name ].to_s
    pFileData = params[ :Filedata ]

    vFilePath = File.join( directory, pRandomFileName )

    succeeded = File.open( vFilePath, "wb" ) { |vBuffer| vBuffer.write(
pFileData.read ) }

    render(:xml => "<response>Finished!</response>") if succeeded
  end

Why is it that the authenticity_token variable is being detected in one
controller and not the other? I'd be very grateful if someone could help
me out with this.

Thanks.
Anjan
83ca41657a99b65d99889abe712ba5e2?d=identicon&s=25 Jason Roelofs (Guest)
on 2008-10-10 15:41
(Received via mailing list)
Authenticity token is checked for all POST requests (aka POST / PUT /
DELETE). If you're doing just GET then the system doesn't look for a
token.

An easier way to grab the auth token than what's specified in the blog
post is to use ExternalInterface and a javascript function:

html:

<script language="Javascript">
function getAuthKey() { return "<%= form_authenticity_token %>"; }
</script>

Flash:

var authToken:String = ExternalInterface.call("getAuthKey");

Which then needs to be added to the .data field of an URLRequest you
process.

Hope that helps.

Jason

On Fri, Oct 10, 2008 at 8:29 AM, Anjan Tek
Ca6208c0ab0061ded967ce0d4afa5e71?d=identicon&s=25 Anjan Tek (t_anjan)
on 2008-10-10 16:05
Hi!

I am using POST, not GET.

Thanks for the tip. I changed my code to use the external interface call
from flex. But the problem persists. Even with my previous code, there
wasn't any problem in sending the authenticity token from flex to rails.
Rails is receiving the token, as shown in the log output.

Processing QuestionsController#insert (for 192.170.50.67 at 2008-10-10
19:39:21) [POST]
  Session ID:
BAh7BzoMY3NyZl9pZCIlNjJiYjY0OTQ1NGQ3MWI1OWE5OWM2MTMzNzFjNzdj
NjQiCmZsYXNoSUM6J0FjdGlvbkNvbnRyb2xsZXI6OkZsYXNoOjpGbGFzaEhh
c2h7AAY6CkB1c2VkewA=--8e7dec53efd7dd4aaadd3c78e0b1d224e1cd55e7
  Parameters: {"xml_Question"=>"<error>Error</error>",
"authenticity_token"=>"26614e317154739eade694d4721873093f317384",
"temp_Image_Location"=>"http://192.170.50.67:3000/images/temp",
"action"=>"insert", "uuid"=>"", "controller"=>"questions",
"images_To_Be_Moved"=>""}
Completed in 0.00364 (274 reqs/sec) | Rendering: 0.00011 (2%) | DB:
0.00000 (0%) | 200 OK [http://192.170.50.67/questions/insert]

The above is the log output for the controller which works.


The following log output is for the image upload action.

Processing UploadController#upload_image (for 192.170.50.67 at
2008-10-10 19:39:48) [POST]
  Session ID: 8ce910b4f637abc4a02844057c6ebc0b
  Parameters: {"Filename"=>"France.gif",
"authenticity_token"=>"26614e317154739eade694d4721873093f317384",
"temp_Image_Location"=>"/images/temp", "action"=>"upload_image",
"Upload"=>"Submit Query", "controller"=>"upload",
"random_File_Name"=>"1223647783541_517.gif",
"Filedata"=>#<ActionController::UploadedStringIO:0x25ee6cc>}


ActionController::InvalidAuthenticityToken
(ActionController::InvalidAuthenticityToken):
    /Library/Ruby/Gems/1.8/gems/actionpack-2.1.0/lib/action_controller/request_forgery_protection.rb:86:in
`verify_authenticity_token'


As you can see, I'm using POST and the "authenticity_token" variable is
present. What worked for the first controller, is not working for the
second. I can't figure out why.

Any insights?

Thanks.
Anjan
83ca41657a99b65d99889abe712ba5e2?d=identicon&s=25 Jason Roelofs (Guest)
on 2008-10-10 16:23
(Received via mailing list)
Hmm, ok. The only other time I've seen this behaviour is when the
cookie for the site isn't getting set, or is getting set with the
wrong domain. One quick test, could you compare the authenticity token
value as put in the HTML vs what gets passed in as a post parameter?

Jason

On Fri, Oct 10, 2008 at 10:05 AM, Anjan Tek
Ca6208c0ab0061ded967ce0d4afa5e71?d=identicon&s=25 Anjan Tek (t_anjan)
on 2008-10-14 17:13
I don't understand what you want me to do exactly. Isn't the
authenticity token being sent from the HTML to Flex in the first place?
That same value is coming back from flex as a POST variable, right?

So how would they differ?

Do you want me to put a text field in the HTML and put the authenticity
token into it and check if the POST value matches it?

I'm confused.
81b61875e41eaa58887543635d556fca?d=identicon&s=25 Frederick Cheung (Guest)
on 2008-10-14 17:36
(Received via mailing list)
On 14 Oct 2008, at 16:13, Anjan Tek wrote:

> token into it and check if the POST value matches it?
>

One avenue to explore is that the authenticity token is based on the
session (either a value in it, or the session etc...) if the flex
stuff doesn't use rails' session cookie then you would get an invalid
authenticity token error.

Fred
83ca41657a99b65d99889abe712ba5e2?d=identicon&s=25 Jason Roelofs (Guest)
on 2008-10-14 17:40
(Received via mailing list)
On Tue, Oct 14, 2008 at 11:25 AM, Frederick Cheung
<frederick.cheung@gmail.com> wrote:
>> So how would they differ?
>
> Fred
>

What Fred said. Open up the HTML source in your browser and find the
authenticity token. Now open up the web server logs
(log/development.log most likely). Now do the post from Flex.

Compare the two values. They're probably different for you and that's
what's throwing the error. The difference is because the auth token is
built from the session id, and if your session stuff is messed up
somehow, Rails will find a discrepency and error out.

Jason
Ca6208c0ab0061ded967ce0d4afa5e71?d=identicon&s=25 Anjan Tek (t_anjan)
on 2008-10-15 09:30
This is in my HTML source:

<script language="Javascript">
function getAuthenticityToken()
{
  return "86b74406048a7f629bd560eab8de771a74c620be";
}
</script>

___________________________________________

And this is what I get from the logs:

Processing UploadController#upload_image (for 192.170.50.67 at
2008-10-15 12:58:50) [POST]
  Session ID: fbcd2a610aa9c048c82f1d5733f56837
  Parameters: {"Filename"=>"Sunflower.gif",
"temp_Image_Location"=>"/images/temp",
"authenticity_token"=>"86b74406048a7f629bd560eab8de771a74c620be",
"action"=>"upload_image", "Upload"=>"Submit Query",
"controller"=>"upload", "random_File_Name"=>"1224055727771_274.gif",
"Filedata"=>#<ActionController::UploadedStringIO:0x2701294>}


ActionController::InvalidAuthenticityToken
(ActionController::InvalidAuthenticityToken):

____________________________

As you can see, both the values are the same. Still I'm getting the same
error.

I repeat, the same code works for another controller. If what you are
suggesting was really the case, is it possible for just one controller
to be affected?
81b61875e41eaa58887543635d556fca?d=identicon&s=25 Frederick Cheung (Guest)
on 2008-10-15 10:17
(Received via mailing list)
On Oct 15, 8:30 am, Anjan Tek <rails-mailing-l...@andreas-s.net>
wrote:
> "Filedata"=>#<ActionController::UploadedStringIO:0x2701294>}
>
> ActionController::InvalidAuthenticityToken
> (ActionController::InvalidAuthenticityToken):
>
> ____________________________
>
> As you can see, both the values are the same. Still I'm getting the same
> error.
>
But is the session id the same for the request for the page where you
click upload and for the upload request itself ?(and obviously when
the session id changes so does the authenticity token, so that hard
coded value in getAuthenticityToken will only get you so far.)

Fred
Ca6208c0ab0061ded967ce0d4afa5e71?d=identicon&s=25 Anjan Tek (t_anjan)
on 2008-10-15 12:53
Hi!

I think both of you have hit the nail on the head.

Just to avoid confusion, I placed all 3 of my methods in question into
the same controller (one working method, one method that does not work
and one method which renders the page that has the flex app in it).

Here is the log output when I load the rails app in my browser: (I've
set map.root to execute the "index" method.
__________________________________________

Processing QuestionsController#index (for 192.170.50.67 at 2008-10-15
15:56:47) [GET]
  Session ID: 594b5d72d93b07f9d6a272f301a3e0f7
  Parameters: {"action"=>"index", "controller"=>"questions"}
Rendering questions/index
Completed in 0.00188 (531 reqs/sec) | Rendering: 0.00042 (22%) | DB:
0.00000 (0%) | 200 OK [http://192.170.50.67/]


Processing QuestionsController#index (for 192.170.50.67 at 2008-10-15
15:56:47) [GET]
  Session ID:
BAh7BzoMY3NyZl9pZCIlOTdiYWM0MDM0OGM0NmRmZDkzZWJiMDhhNzIwYjIy
ODQiCmZsYXNoSUM6J0FjdGlvbkNvbnRyb2xsZXI6OkZsYXNoOjpGbGFzaEhh
c2h7AAY6CkB1c2VkewA=--1a32065d2fd99849429fc9dec4dcb26ec4e3623a
  Parameters: {"action"=>"index", "controller"=>"questions",
"debug"=>"true"}
Rendering questions/index
Completed in 0.00193 (517 reqs/sec) | Rendering: 0.00045 (23%) | DB:
0.00000 (0%) | 200 OK [http://192.170.50.67/?debug=true]

________________________________________

I've got no idea why it executes the same method twice, but it looks
like the second Session ID is what sticks.

Here is the log output when I call the "insert" method that works:

__________________________________________

Processing QuestionsController#insert (for 192.170.50.67 at 2008-10-15
15:58:24) [POST]
  Session ID:
BAh7BzoMY3NyZl9pZCIlOTdiYWM0MDM0OGM0NmRmZDkzZWJiMDhhNzIwYjIy
ODQiCmZsYXNoSUM6J0FjdGlvbkNvbnRyb2xsZXI6OkZsYXNoOjpGbGFzaEhh
c2h7AAY6CkB1c2VkewA=--1a32065d2fd99849429fc9dec4dcb26ec4e3623a
  Parameters:
{"authenticity_token"=>"86b74406048a7f629bd560eab8de771a74c620be",
"temp_Image_Location"=>"/images/temp", "images_To_Be_Published"=>"",
"action"=>"insert", "uuid"=>"927EE8CA-C86B-DDEC-C444-000C98986267",
"separator"=>"&&", "controller"=>"questions"}
Completed in 0.00565 (176 reqs/sec) | Rendering: 0.00018 (3%) | DB:
0.00000 (0%) | 200 OK [http://192.170.50.67/questions/insert]

__________________________________________

Notice that the Session ID is the same as the "index" method call.


Here is the log output when I call the "upload_image" method that DOES
NOT WORK:

__________________________________________


Processing QuestionsController#upload_image (for 192.170.50.67 at
2008-10-15 15:57:33) [POST]
  Session ID: 8e7a7ad93525bce8a253542d8812ea4a
  Parameters: {"Filename"=>"Spiked.gif",
"temp_Image_Location"=>"/images/temp",
"authenticity_token"=>"86b74406048a7f629bd560eab8de771a74c620be",
"action"=>"upload_image", "Upload"=>"Submit Query",
"controller"=>"questions", "random_File_Name"=>"1224066450419_711.gif",
"Filedata"=>#<ActionController::UploadedStringIO:0x26d8600>}


ActionController::InvalidAuthenticityToken
(ActionController::InvalidAuthenticityToken):

__________________________________________

As both of you suspected, the Session ID is different just for this
method call.
And hence the authenticity token that I send is invalid.

If I call the "insert" method again after the "upload_image" method has
failed, the Session ID is correct again and it works.

But I don't understand why the Session ID is suddenly different for one
particular method.

Any ideas?

Thanks for the help so far.
Ca6208c0ab0061ded967ce0d4afa5e71?d=identicon&s=25 Anjan Tek (t_anjan)
on 2008-10-20 10:26
Any ideas, anyone?
1892eebd31e6e7bbe0408acf4737d3e1?d=identicon&s=25 Chris Maduro (chrismaduro)
on 2008-11-19 16:49
Anjan Tek wrote:
> Any ideas, anyone?

It looks as if "Mister" had the same problem. Although he was using JSP,
i believe you get a good explanation of what is going on.

"Firefox apparently uses another instance of the browser window to
dispatch the uploaded file, this window does not have the session.  I
searched for some possible answer and it seems you need to ask the
correction combination of questions to find the solution.   The Flex
documentation seems to hint at part of the issue, but nothing direct
enough."

http://thanksmister.com/?p=59
Ca6208c0ab0061ded967ce0d4afa5e71?d=identicon&s=25 Anjan Tek (t_anjan)
on 2008-11-19 19:16
Thanks. I'll look closer into that. But I was testing on Safari (Mac)
and not Firefox.

But lately, I've been having more problems with the authentication /
session ID stuff. More of my actions started giving me the same error. I
ended up just switching off the verification authenticity globally. It
seems to be such a pain to configure when you are not using plain
erb/rhtml web apps.

And surprisingly few people seem to know about these issues.

Thanks again. I just had quick scan over that post you linked to. I'll
give it a closer look.
00973881979aa0a660ffbbb2f7a907fb?d=identicon&s=25 Peter De Berdt (Guest)
on 2008-11-20 09:59
(Received via mailing list)
On 19 Nov 2008, at 19:16, Anjan Tek wrote:

> And surprisingly few people seem to know about these issues.
Issues that can be overcome very easily (see below). It is a very bad
idea to disable the authenticity token, it was put in place to protect
your site from malicious attacks.

> Thanks again. I just had quick scan over that post you linked to. I'll
> give it a closer look.

The solution is pretty simple to be honest:

In your view layout file, add this to the <header> section:

     <script type="text/javascript" charset="utf-8">
         window._token = '<%= form_authenticity_token -%>';
     </script>

In application.js, add the following:

Ajax.Base.prototype.initialize = Ajax.Base.prototype.initialize.wrap(
   function(p, options){
     p(options);
     this.options.parameters = this.options.parameters || {};
     this.options.parameters.authenticity_token = window._token || '';
   }
);

It will automatically add the authenticity token to ALL ajax requests,
even those you invoke from custom code (graceful degrading and/or even
delegated events for example).

A similar solution for those swapping out Prototype with JQuery has
been posted at
http://henrik.nyh.se/2008/05/rails-authenticity-to...

As for file uploaders, a normal field within a form (multipart=true)
will be sent as part of the form (and isn't an ajax request in the
first place) and shouldn't be a problem. If you are using ANY other
"ajax" uploader, there's more to it. I already posted several times on
how to get SWFUpload to play nicely with Rails, an overview with links
to the appropriate posts can be found here:

http://groups.google.com/group/rubyonrails-talk/br...


Best regards

Peter De Berdt
Ca6208c0ab0061ded967ce0d4afa5e71?d=identicon&s=25 Anjan Tek (t_anjan)
on 2008-11-23 10:34
Hi!

Would your solution above work for Flex apps as well? I'm using no AJAX.
Just Flex and rails. Even the upload is done from within Flex.

As I've mentioned previously in the post, I am sending the authenticity
token along with all my requests to rails. But the problem is that the
authenticity token that is sent become invalid because of a changing
Session ID.

Thanks.

Anjan
00973881979aa0a660ffbbb2f7a907fb?d=identicon&s=25 Peter De Berdt (Guest)
on 2008-11-23 11:28
(Received via mailing list)
On 23 Nov 2008, at 10:34, Anjan Tek wrote:

> Would your solution above work for Flex apps as well? I'm using no
> AJAX.
> Just Flex and rails. Even the upload is done from within Flex.
>
> As I've mentioned previously in the post, I am sending the
> authenticity
> token along with all my requests to rails. But the problem is that the
> authenticity token that is sent become invalid because of a changing
> Session ID.

If you look at the post about getting SWFUpload up and running, you'll
notice there's a patch for the session handling in there that allows
you to pass the session data as normal post parameters instead of a
cookie and make Rails detect and use it. Flex being a Flash-based
frontend, you should be able to do the same. My guess is that
ActionScript will have a similar way of automatically adding that data
to each request. Maybe someone on this list has already integrated a
Flexbased app this way (I know there are some Flex developers on this
list), else you'll have to ask on a Flex forum/mailing list.


Best regards

Peter De Berdt
473573dbec97a074cf0edd7635cdcdef?d=identicon&s=25 Matteo Parmi (tejo)
on 2009-04-10 09:48
Hi
I had the same problem. After some digging and http sniffing I found
this repo on github that solves the problem:
http://github.com/lardawge/swfupload-rails-authent...


The workaround is to use a rack file to filter the request from flex:

require 'rack/utils'

class FlashSessionCookieMiddleware
  def initialize(app, session_key = '_session_id')
    @app = app
    @session_key = session_key
  end

  def call(env)
    if env['HTTP_USER_AGENT'] =~ /^(Adobe|Shockwave) Flash/
      params = ::Rack::Utils.parse_query(env['QUERY_STRING'])
      env['HTTP_COOKIE'] = [ @session_key, params[@session_key]
].join('=').freeze unless params[@session_key].nil?
    end
    @app.call(env)
  end
end
C59cae5d861c9f84f6ead08e445745a0?d=identicon&s=25 冷血儿 (Guest)
on 2009-04-11 04:41
(Received via mailing list)
2009/4/10 Matteo Parmi <rails-mailing-list@andreas-s.net>
>
>  def call(env)
>    if env['HTTP_USER_AGENT'] =~ /^(Adobe|Shockwave) Flash/
>      params = ::Rack::Utils.parse_query(env['QUERY_STRING'])
>      env['HTTP_COOKIE'] = [ @session_key, params[@session_key]
> ].join('=').freeze unless params[@session_key].nil?
>    end
>    @app.call(env)
>  end


I want to find a way that detection flash client. But I cannot.
There isn't "Flash" string in HTTP_USER_AGENT in Safari.
Someone said check HTTP_X_FLASH_VERSION.
These params appear when I have flash player installed. Also I don't use
flash player visit rails.

So, I don't know how to detection flash client now?
This topic is locked and can not be replied to.