This project is archived and is in readonly mode.

#139 ✓resolved
Peter Jones

[PATCH] Bug: Earlier Check for Session in Forgery Protection

Reported by Peter Jones | May 7th, 2008 @ 11:07 PM

The session is used by the form_authenticity_token method before it is

tested to be valid. This patch moves a few lines around so that the

session is validated first.

Without this patch, if you try to use forgery protection with sessions

turned off, you get this exception message:

undefined method `session_id' for {}:Hash

The patch includes a test that can be used to see this behavior before

the request_forgery_protection.rb file is patched to fix it.

Comments and changes to this ticket

Create your profile

Help contribute to this project by taking a few moments to create your personal profile. Create your profile »

<h2 style="font-size: 14px">Tickets have moved to Github</h2>

The new ticket tracker is available at <a href="https://github.com/rails/rails/issues">https://github.com/rails/rails/issues</a>

Attachments

Pages