diff options
| author | PaulL1 <PaulL1@users.noreply.github.com> | 2014-04-17 14:04:40 +0200 |
|---|---|---|
| committer | PaulL1 <PaulL1@users.noreply.github.com> | 2014-04-17 14:04:40 +0200 |
| commit | 92fd44b35df65556c8baad565421fd8fd44ee509 (patch) | |
| tree | 1eb28af58704e815231865441feeb45d3438466d /guides/source | |
| parent | 542457b5d2f56baafd60a0e46f1bfb9eb481e61b (diff) | |
| download | rails-92fd44b35df65556c8baad565421fd8fd44ee509.tar.gz rails-92fd44b35df65556c8baad565421fd8fd44ee509.tar.bz2 rails-92fd44b35df65556c8baad565421fd8fd44ee509.zip | |
CSRF protection should rescue exception not extend
I think the changes to the default behaviour mean that rails will throw an exception when an invalid authenticity token is found. The previous proposed code of calling super then sign_out meant that sign_out was never reached - the exception handler never returned.
I think the best approach now is to catch the exception, although I'm not 100% certain on that.
Diffstat (limited to 'guides/source')
| -rw-r--r-- | guides/source/security.md | 5 |
1 files changed, 2 insertions, 3 deletions
diff --git a/guides/source/security.md b/guides/source/security.md index 15b28664b7..a901589e4f 100644 --- a/guides/source/security.md +++ b/guides/source/security.md @@ -250,9 +250,8 @@ This will automatically include a security token in all forms and Ajax requests It is common to use persistent cookies to store user information, with `cookies.permanent` for example. In this case, the cookies will not be cleared and the out of the box CSRF protection will not be effective. If you are using a different cookie store than the session for this information, you must handle what to do with it yourself: ```ruby -def handle_unverified_request - super - sign_out_user # Example method that will destroy the user cookies. +rescue_from ActionController::InvalidAuthenticityToken do |exception| + sign_out_user # Example method that will destroy the user cookies end ``` |