This project is archived and is in readonly mode.

#957 ✓invalid
Tim Haines

Generate form_authenticity_token correctly when using CookieStore and Secret present

Reported by Tim Haines | September 2nd, 2008 @ 01:26 PM | in 2.x

Currently if you're using the CookieStore, and accidentally call protect_from_forgery with a :secret param, then the form_authenticity_token won't be generated correctly, and will result in InvalidAuthenticityToken errors being raised

I had this scenerio today after I'd switched back to the CookieStore from another store, and had forgotten to remove the secret.

The attached patch (with tests) makes the form_authenticity_token check to see if the CookieStore is being used rather than simply assuming it's not if :secret is set.

I'm happy to take any feedback on how to improve the tests - or any performance impact the new conditions might have. As well as the attached tests I've run and tested my app with this patch applied.

Comments and changes to this ticket

Create your profile

Help contribute to this project by taking a few moments to create your personal profile. Create your profile »

<h2 style="font-size: 14px">Tickets have moved to Github</h2>

The new ticket tracker is available at <a href=""></a>

People watching this ticket


Referenced by