Tuesday, December 16, 2008

rails error ActionController::InvalidAuthenticityToken

升级到Rails 2.2.2后,在用户登录时抛出以上错误,因为Rails新版本对安全控制做了一些加强措施,只要在form中添加<%= token_tag %>即可,Rails会添加一个token(在action中的form_authenticity_token方法生成这个token)在form中,随表单一起提交,可以适当的防止一些web攻击。
<input name="authenticity_token" type="hidden" value="d688e6bf60f43bd171504e059de1ba03f876d129" />
具体可参考 ActionController::RequestForgeryProtection 和 config/environment.rb 中的配置说明:
# Your secret key for verifying cookie session data integrity.
# If you change this key, all old sessions will become invalid!
# Make sure the secret is at least 30 characters and all random,
# no regular words or you'll be exposed to dictionary attacks.
config.action_controller.session = {
:session_key => '_sv3_session',
:secret => 'b35a7a9ffb88288f11c03b0c24fe45f90879d8fbb83f9ba70649b489d8165f06d4484dd07c6e41c2d9616630781fd739a127d1285c589db3d77801afd30a9d35'
}

No comments :