#957 Generate form_authenticity_token correctly when using CookieStore and Secret present - Ruby on Rails

Type	To find
responsible:me	tickets assigned to you
tagged:"@high"	tickets tagged @high
milestone:next	tickets in the upcoming milestone
state:invalid	tickets with the state invalid
created:"last week"	tickets created last week
sort:number, importance, updated	tickets sorted by #, importance or updated
Combine keywords for powerful searching.
Use advanced searching »

This project is archived and is in readonly mode.

#957 ✓invalid

Generate form_authenticity_token correctly when using CookieStore and Secret present

Reported by Tim Haines | September 2nd, 2008 @ 01:26 PM | in 2.x

Currently if you're using the CookieStore, and accidentally call protect_from_forgery with a :secret param, then the form_authenticity_token won't be generated correctly, and will result in InvalidAuthenticityToken errors being raised

I had this scenerio today after I'd switched back to the CookieStore from another store, and had forgotten to remove the secret.

The attached patch (with tests) makes the form_authenticity_token check to see if the CookieStore is being used rather than simply assuming it's not if :secret is set.

I'm happy to take any feedback on how to improve the tests - or any performance impact the new conditions might have. As well as the attached tests I've run and tested my app with this patch applied.

use_auth_token_from_cookie_session_when_cookie_store_used.diff 3.7 KB

Comments and changes to this ticket

You flagged this item as spam.
Tim Haines September 2nd, 2008 @ 09:18 PM
This patch (or one like it) also has the side benefit of being able to simplify the generated code for ActionController. The :secret could be uncommented by default, and the comment on the line above could be removed.
Michael Koziarski September 3rd, 2008 @ 08:40 AM
You don't seem to actually make any requests in the tests? Did the old behaviour raise errors before requesting anything?
Michael Koziarski September 3rd, 2008 @ 08:41 AM
- Assigned user set to “Michael Koziarski”
You flagged this item as spam.
Tim Haines September 3rd, 2008 @ 09:25 AM
Requests are made via the module that's included -> include RequestForgeryProtectionTests This is the same pattern that is used for the other request_forgery_pattern_tests.

Yes - if you add my tests without changing the source file, some of the tests will fail. The tests pass after you change the source file.
You flagged this item as spam.
Tim Haines September 3rd, 2008 @ 09:37 AM
- Title changed from “Ignore secret when Cookie Store is used” to “Generate form_authenticity_token correctly when using CookieStore and Secret present”
Frederick Cheung December 12th, 2008 @ 02:18 PM
- State changed from “new” to “invalid”
No longer relevant since form_authenticity_token was reimplemented along a completely different method in (9fdb15e60f4d4e37916e5354c50d559773bbe014)[http://github.com/rails/rails/co...]
You flagged this item as spam.
bingbing March 26th, 2011 @ 01:32 AM
gucci watches

Create your profile

Help contribute to this project by taking a few moments to create your personal profile. Create your profile »

<h2 style="font-size: 14px">Tickets have moved to Github</h2>

The new ticket tracker is available at <a href="https://github.com/rails/rails/issues">https://github.com/rails/rails/issues</a>

Shared Ticket Bins (Sort)

↓↑ drag 455 Open Bugs
↓↑ drag 0 Recent Open Tickets
↓↑ drag 87 Open Patches
↓↑ drag 0 Open Doc Patches
↓↑ drag 542 Stale Tickets
↓↑ drag 3 Verified Patches
↓↑ drag 87 Stale Patches
↓↑ drag 0 Yesterday's Tickets
↓↑ drag 0 Two Days Ago
↓↑ drag 0 This Week
↓↑ drag 0 Last Week
↓↑ drag 7 Bugmash
↓↑ drag 0 Bugmash review queue
↓↑ drag 5 Rails 3 High Priority Tickets

People watching this ticket

Attachments

use_auth_token_from_cookie_... 3.7 KB

Referenced by

919 Route not resolving properly Looks like Michael actually intended to reply to #957 :),...

Rails Ruby on Rails → 2.x