Pragmatic Forums | protect_from_forgery problems with example app in chapter 1

Dec 12, 2007 3:17am

Donal Ellis 2 posts

Hi

Being a rails/ruby newbie, I spent a lot of time (but learned a lot) getting your simple app in chapter 1 to work. I worked out that because protect_from_forgery is turned on by default in application.rb, whenever i posted the form in the example, I got an ActionController::InvalidAuthenticityToken exception thrown. I could see I could comment out the call to protect_from_forgery and so avoid the problem, but I couldn’t work out why it wasn’t working…

So finally I worked out I had to manually put the token (obtained with a call to form_authenticity_token) in a hidden field named “authenticity_token” in the form. This is done for you if you’re using a helper to create the form, but this is not the case in the example.

You might want to work this in to your example somehow to avoid the problem…or I might be just missing something, so please let me know if I am.

Otherwise, really enjoying the book, thanks.

Donal

Dec 12, 2007 7:15am

Derek DeVries 8 posts

Donal,

Thanks for pointing this out.

As you found out, the error occurs because of the CSRF (Cross-Site Request Forgery) protection added to Rails 2.0. We missed updating this example to account for the CSRF feature when we released the initial beta.

You were on the right track with the hidden “authenticity_token” field, but the preferred way is to use a form helper as you mention. The current beta version of the book (released just a couple days ago), updates the example to do just this. We’ve made this fix along with others, so now is a good time to get the newest version of the beta book in your pragprog account.

Derek

Dec 12, 2007 12:50pm

Donal Ellis 2 posts

Thanks Derek, got the updated pdf and tried out the new version of the example, nice! Up to chapter 3 and enjoying the book a lot!

Feb 10, 2008 2:03am

brandon shi 1 post

Derek, are you talking about the Beta version of the Rails book? I can’t seem to find it in my account for download.

Feb 10, 2008 3:16am

Mike Naberezny 4 posts

Brandon,

Yes, the example was updated in the second beta release of our “Rails for PHP Developers” book.

On this website, visit “Your Account” and then select “Regenerate a PDF” from the sidebar. From there, you can select to generate the latest PDF for “Rails for PHP Developers” that includes this change and quite a few others.

Regards,
Mike

protect_from_forgery problems with example app in chapter 1

Discussions

Voices

Dec 12, 2007 3:17am Donal Ellis 2 posts	Hi Being a rails/ruby newbie, I spent a lot of time (but learned a lot) getting your simple app in chapter 1 to work. I worked out that because protect_from_forgery is turned on by default in application.rb, whenever i posted the form in the example, I got an ActionController::InvalidAuthenticityToken exception thrown. I could see I could comment out the call to protect_from_forgery and so avoid the problem, but I couldn’t work out why it wasn’t working… So finally I worked out I had to manually put the token (obtained with a call to form_authenticity_token) in a hidden field named “authenticity_token” in the form. This is done for you if you’re using a helper to create the form, but this is not the case in the example. You might want to work this in to your example somehow to avoid the problem…or I might be just missing something, so please let me know if I am. Otherwise, really enjoying the book, thanks. Donal

Dec 12, 2007 7:15am Derek DeVries 8 posts	Donal, Thanks for pointing this out. As you found out, the error occurs because of the CSRF (Cross-Site Request Forgery) protection added to Rails 2.0. We missed updating this example to account for the CSRF feature when we released the initial beta. You were on the right track with the hidden “authenticity_token” field, but the preferred way is to use a form helper as you mention. The current beta version of the book (released just a couple days ago), updates the example to do just this. We’ve made this fix along with others, so now is a good time to get the newest version of the beta book in your pragprog account. Derek

Dec 12, 2007 12:50pm Donal Ellis 2 posts	Thanks Derek, got the updated pdf and tried out the new version of the example, nice! Up to chapter 3 and enjoying the book a lot!

Feb 10, 2008 2:03am brandon shi 1 post	Derek, are you talking about the Beta version of the Rails book? I can’t seem to find it in my account for download.

Feb 10, 2008 3:16am Mike Naberezny 4 posts	Brandon, Yes, the example was updated in the second beta release of our “Rails for PHP Developers” book. On this website, visit “Your Account” and then select “Regenerate a PDF” from the sidebar. From there, you can select to generate the latest PDF for “Rails for PHP Developers” that includes this change and quite a few others. Regards, Mike