aboutsummaryrefslogtreecommitdiffstats
path: root/actionpack/lib/action_controller
diff options
context:
space:
mode:
authorVijay Dev <vijaydev.cse@gmail.com>2011-07-01 00:00:38 +0530
committerVijay Dev <vijaydev.cse@gmail.com>2011-07-01 00:00:38 +0530
commit5fe67fa7a3c78b2dc7a3f311d1fa518cde52443a (patch)
tree3a20e99825c46184bd6a5f5de1282cbf1409e4b6 /actionpack/lib/action_controller
parent7744177919526a97bda1c08bf46e7250ce156347 (diff)
downloadrails-5fe67fa7a3c78b2dc7a3f311d1fa518cde52443a.tar.gz
rails-5fe67fa7a3c78b2dc7a3f311d1fa518cde52443a.tar.bz2
rails-5fe67fa7a3c78b2dc7a3f311d1fa518cde52443a.zip
update doc about resetting the session in case of authenticity token mismatch
Diffstat (limited to 'actionpack/lib/action_controller')
-rw-r--r--actionpack/lib/action_controller/metal/request_forgery_protection.rb11
1 files changed, 5 insertions, 6 deletions
diff --git a/actionpack/lib/action_controller/metal/request_forgery_protection.rb b/actionpack/lib/action_controller/metal/request_forgery_protection.rb
index 2080e9b5b9..441b214c4e 100644
--- a/actionpack/lib/action_controller/metal/request_forgery_protection.rb
+++ b/actionpack/lib/action_controller/metal/request_forgery_protection.rb
@@ -7,17 +7,16 @@ module ActionController #:nodoc:
# Controller actions are protected from Cross-Site Request Forgery (CSRF) attacks
# by including a token in the rendered html for your application. This token is
# stored as a random string in the session, to which an attacker does not have
- # access. When a request reaches your application, \Rails then verifies the received
- # token with the token in the session. Only HTML and javascript requests are checked,
+ # access. When a request reaches your application, \Rails verifies the received
+ # token with the token in the session. Only HTML and JavaScript requests are checked,
# so this will not protect your XML API (presumably you'll have a different
# authentication scheme there anyway). Also, GET requests are not protected as these
# should be idempotent.
#
# CSRF protection is turned on with the <tt>protect_from_forgery</tt> method,
- # which will check the token and raise an ActionController::InvalidAuthenticityToken
- # if it doesn't match what was expected. A call to this method is generated for new
- # \Rails applications by default. You can customize the error message by editing
- # public/422.html.
+ # which checks the token and resets the session if it doesn't match what was expected.
+ # A call to this method is generated for new \Rails applications by default.
+ # You can customize the error message by editing public/422.html.
#
# The token parameter is named <tt>authenticity_token</tt> by default. The name and
# value of this token must be added to every layout that renders forms by including