diff options
| author | Xavier Noria <fxn@hashref.com> | 2011-07-05 01:42:13 +0200 |
|---|---|---|
| committer | Xavier Noria <fxn@hashref.com> | 2011-07-05 01:42:13 +0200 |
| commit | 289b5253ce476410ff78a5f55248c5a4e6a60223 (patch) | |
| tree | 3bf8b5a29c24a0e1afe27e1e3a446459adbf27b5 /actionpack/lib/action_controller/metal | |
| parent | 892c99ca5cfc8b9ea1a06066f23bec847838f7f8 (diff) | |
| parent | 254a1e57d79143f21af74e1aa289ba546b3be821 (diff) | |
| download | rails-289b5253ce476410ff78a5f55248c5a4e6a60223.tar.gz rails-289b5253ce476410ff78a5f55248c5a4e6a60223.tar.bz2 rails-289b5253ce476410ff78a5f55248c5a4e6a60223.zip | |
Merge branch 'master' of git://github.com/lifo/docrails
Diffstat (limited to 'actionpack/lib/action_controller/metal')
| -rw-r--r-- | actionpack/lib/action_controller/metal/request_forgery_protection.rb | 13 |
1 files changed, 7 insertions, 6 deletions
diff --git a/actionpack/lib/action_controller/metal/request_forgery_protection.rb b/actionpack/lib/action_controller/metal/request_forgery_protection.rb index 2080e9b5b9..2271470334 100644 --- a/actionpack/lib/action_controller/metal/request_forgery_protection.rb +++ b/actionpack/lib/action_controller/metal/request_forgery_protection.rb @@ -7,17 +7,16 @@ module ActionController #:nodoc: # Controller actions are protected from Cross-Site Request Forgery (CSRF) attacks # by including a token in the rendered html for your application. This token is # stored as a random string in the session, to which an attacker does not have - # access. When a request reaches your application, \Rails then verifies the received - # token with the token in the session. Only HTML and javascript requests are checked, + # access. When a request reaches your application, \Rails verifies the received + # token with the token in the session. Only HTML and JavaScript requests are checked, # so this will not protect your XML API (presumably you'll have a different # authentication scheme there anyway). Also, GET requests are not protected as these # should be idempotent. # # CSRF protection is turned on with the <tt>protect_from_forgery</tt> method, - # which will check the token and raise an ActionController::InvalidAuthenticityToken - # if it doesn't match what was expected. A call to this method is generated for new - # \Rails applications by default. You can customize the error message by editing - # public/422.html. + # which checks the token and resets the session if it doesn't match what was expected. + # A call to this method is generated for new \Rails applications by default. + # You can customize the error message by editing public/422.html. # # The token parameter is named <tt>authenticity_token</tt> by default. The name and # value of this token must be added to every layout that renders forms by including @@ -79,6 +78,8 @@ module ActionController #:nodoc: end end + # This is the method that defines the application behaviour when a request is found to be unverified. + # By default, \Rails resets the session when it finds an unverified request. def handle_unverified_request reset_session end |