From eccd5cb6108a7bbddffd8d97be46d4ee06cac150 Mon Sep 17 00:00:00 2001 From: Matt Jankowski Date: Sun, 26 Jun 2011 19:41:49 -0400 Subject: elaborate on how web server configuration to check for static files on disk enables page caching to work without hitting the app server stack --- actionpack/lib/action_controller/caching/pages.rb | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) (limited to 'actionpack/lib/action_controller') diff --git a/actionpack/lib/action_controller/caching/pages.rb b/actionpack/lib/action_controller/caching/pages.rb index 8c583c7ce0..9ea2ab0056 100644 --- a/actionpack/lib/action_controller/caching/pages.rb +++ b/actionpack/lib/action_controller/caching/pages.rb @@ -16,9 +16,10 @@ module ActionController #:nodoc: # caches_page :show, :new # end # - # This will generate cache files such as weblog/show/5.html and weblog/new.html, - # which match the URLs used to trigger the dynamic generation. This is how the web server is able - # pick up a cache file when it exists and otherwise let the request pass on to Action Pack to generate it. + # This will generate cache files such as weblog/show/5.html and weblog/new.html, which match the URLs used + # that would normally trigger dynamic page generation. Page caching works by configuring a web server to first check for the + # existence of files on disk, and to serve them directly when found, without passing the request through to Action Pack. + # This is much faster than handling the full dynamic request in the usual way. # # Expiration of the cache is handled by deleting the cached file, which results in a lazy regeneration approach where the cache # is not restored before another hit is made against it. The API for doing so mimics the options from +url_for+ and friends: -- cgit v1.2.3 From 2fd1f2e84319c0796ba6887435e6cf172f715da7 Mon Sep 17 00:00:00 2001 From: Matt Jankowski Date: Sun, 26 Jun 2011 19:44:55 -0400 Subject: clarify which url would be used to cache a page when options are not provided to #cache_page to determine that url --- actionpack/lib/action_controller/caching/pages.rb | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'actionpack/lib/action_controller') diff --git a/actionpack/lib/action_controller/caching/pages.rb b/actionpack/lib/action_controller/caching/pages.rb index 9ea2ab0056..496390402b 100644 --- a/actionpack/lib/action_controller/caching/pages.rb +++ b/actionpack/lib/action_controller/caching/pages.rb @@ -133,8 +133,8 @@ module ActionController #:nodoc: end end - # Manually cache the +content+ in the key determined by +options+. If no content is provided, the contents of response.body is used - # If no options are provided, the requested url is used. Example: + # Manually cache the +content+ in the key determined by +options+. If no content is provided, the contents of response.body is used. + # If no options are provided, the url of the current request being handled is used. Example: # cache_page "I'm the cached content", :controller => "lists", :action => "show" def cache_page(content = nil, options = nil) return unless self.class.perform_caching && caching_allowed? -- cgit v1.2.3 From 5fe67fa7a3c78b2dc7a3f311d1fa518cde52443a Mon Sep 17 00:00:00 2001 From: Vijay Dev Date: Fri, 1 Jul 2011 00:00:38 +0530 Subject: update doc about resetting the session in case of authenticity token mismatch --- .../lib/action_controller/metal/request_forgery_protection.rb | 11 +++++------ 1 file changed, 5 insertions(+), 6 deletions(-) (limited to 'actionpack/lib/action_controller') diff --git a/actionpack/lib/action_controller/metal/request_forgery_protection.rb b/actionpack/lib/action_controller/metal/request_forgery_protection.rb index 2080e9b5b9..441b214c4e 100644 --- a/actionpack/lib/action_controller/metal/request_forgery_protection.rb +++ b/actionpack/lib/action_controller/metal/request_forgery_protection.rb @@ -7,17 +7,16 @@ module ActionController #:nodoc: # Controller actions are protected from Cross-Site Request Forgery (CSRF) attacks # by including a token in the rendered html for your application. This token is # stored as a random string in the session, to which an attacker does not have - # access. When a request reaches your application, \Rails then verifies the received - # token with the token in the session. Only HTML and javascript requests are checked, + # access. When a request reaches your application, \Rails verifies the received + # token with the token in the session. Only HTML and JavaScript requests are checked, # so this will not protect your XML API (presumably you'll have a different # authentication scheme there anyway). Also, GET requests are not protected as these # should be idempotent. # # CSRF protection is turned on with the protect_from_forgery method, - # which will check the token and raise an ActionController::InvalidAuthenticityToken - # if it doesn't match what was expected. A call to this method is generated for new - # \Rails applications by default. You can customize the error message by editing - # public/422.html. + # which checks the token and resets the session if it doesn't match what was expected. + # A call to this method is generated for new \Rails applications by default. + # You can customize the error message by editing public/422.html. # # The token parameter is named authenticity_token by default. The name and # value of this token must be added to every layout that renders forms by including -- cgit v1.2.3 From 2949e30a05d7174db5b9981385e8eee69469eabc Mon Sep 17 00:00:00 2001 From: Vijay Dev Date: Sat, 2 Jul 2011 21:18:46 +0530 Subject: document handle_unverified_request method --- actionpack/lib/action_controller/metal/request_forgery_protection.rb | 2 ++ 1 file changed, 2 insertions(+) (limited to 'actionpack/lib/action_controller') diff --git a/actionpack/lib/action_controller/metal/request_forgery_protection.rb b/actionpack/lib/action_controller/metal/request_forgery_protection.rb index 441b214c4e..2271470334 100644 --- a/actionpack/lib/action_controller/metal/request_forgery_protection.rb +++ b/actionpack/lib/action_controller/metal/request_forgery_protection.rb @@ -78,6 +78,8 @@ module ActionController #:nodoc: end end + # This is the method that defines the application behaviour when a request is found to be unverified. + # By default, \Rails resets the session when it finds an unverified request. def handle_unverified_request reset_session end -- cgit v1.2.3