From 92fd44b35df65556c8baad565421fd8fd44ee509 Mon Sep 17 00:00:00 2001 From: PaulL1 Date: Thu, 17 Apr 2014 14:04:40 +0200 Subject: CSRF protection should rescue exception not extend I think the changes to the default behaviour mean that rails will throw an exception when an invalid authenticity token is found. The previous proposed code of calling super then sign_out meant that sign_out was never reached - the exception handler never returned. I think the best approach now is to catch the exception, although I'm not 100% certain on that. --- guides/source/security.md | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) (limited to 'guides/source') diff --git a/guides/source/security.md b/guides/source/security.md index 15b28664b7..a901589e4f 100644 --- a/guides/source/security.md +++ b/guides/source/security.md @@ -250,9 +250,8 @@ This will automatically include a security token in all forms and Ajax requests It is common to use persistent cookies to store user information, with `cookies.permanent` for example. In this case, the cookies will not be cleared and the out of the box CSRF protection will not be effective. If you are using a different cookie store than the session for this information, you must handle what to do with it yourself: ```ruby -def handle_unverified_request - super - sign_out_user # Example method that will destroy the user cookies. +rescue_from ActionController::InvalidAuthenticityToken do |exception| + sign_out_user # Example method that will destroy the user cookies end ``` -- cgit v1.2.3