This project is archived and is in readonly mode.
[PATCH] Bug: Earlier Check for Session in Forgery Protection
Reported by Peter Jones | May 7th, 2008 @ 11:07 PM
The session is used by the form_authenticity_token method before it is
tested to be valid. This patch moves a few lines around so that the
session is validated first.
Without this patch, if you try to use forgery protection with sessions
turned off, you get this exception message:
undefined method `session_id' for {}:Hash
The patch includes a test that can be used to see this behavior before
the request_forgery_protection.rb file is patched to fix it.
Comments and changes to this ticket
-
-
-
-
-
-
-
Repository May 11th, 2008 @ 07:29 PM
- State changed from “new” to “resolved”
(from [0dabb5b7ab3fad23da91a2312f7b586855d52f4a]) Fixed that forgery protection can be used without session tracking (Peter Jones) [#139 state:resolved]
-
af001 May 5th, 2011 @ 02:54 AM
- Tag set to “actionpack, bug, edge, patch, request-forgery-protection, tested”
- Importance changed from “” to “”
Create your profile
Help contribute to this project by taking a few moments to create your personal profile. Create your profile »
<h2 style="font-size: 14px">Tickets have moved to Github</h2>
The new ticket tracker is available at <a href="https://github.com/rails/rails/issues">https://github.com/rails/rails/issues</a>
Andrew Zielinski
Fernand Galiana
Jim James