kotovalexarian-likes-github/rails--rails
1
0
Fork 0
mirror of https://github.com/rails/rails.git synced 2022-11-09 12:12:34 -05:00
Code Releases Activity

CSRF protection should rescue exception not extend

Browse source 
I think the changes to the default behaviour mean that rails will throw an exception when an invalid authenticity token is found.  The previous proposed code of calling super then sign_out meant that sign_out was never reached - the exception handler never returned.

I think the best approach now is to catch the exception, although I'm not 100% certain on that.
This commit is contained in:
PaulL1 2014-04-17 14:04:40 +02:00
parent 542457b5d2
commit 92fd44b35d
1 changed files with 2 additions and 3 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

5
guides/source/security.md
View file

@ -250,9 +250,8 @@ This will automatically include a security token in all forms and Ajax requests
It is common to use persistent cookies to store user information, with `cookies.permanent` for example. In this case, the cookies will not be cleared and the out of the box CSRF protection will not be effective. If you are using a different cookie store than the session for this information, you must handle what to do with it yourself:
```ruby
def handle_unverified_request
super
sign_out_user # Example method that will destroy the user cookies.
rescue_from ActionController::InvalidAuthenticityToken do |exception|
sign_out_user # Example method that will destroy the user cookies
end
```