Home > OS >  When and how request sometimes found to be unverified. ruby on rails 3.2
When and how request sometimes found to be unverified. ruby on rails 3.2

Time:09-17

# This is the method that defines the application behavior when a request is found to be unverified.
# By default, Rails resets the session when it finds an unverified request.

def handle_unverified_request
  reset_session
end

I have seen this explanation at Rails 4 Authenticity Token

now my question is when and how every request sometimes become unverified? how it was hapenning? and when.

thankyou, i have tried to search it but i have seen explanation so deep-technical hence i can understand in an easy way

CodePudding user response:

Rails adds a CSRF authenticity token to form submissions.

If you have a Rails-generated form in your browser and you inspect it, you'll see something like this:

<input type="hidden" name="authenticity_token" value="/LV6706J3W  oCASgg8 wuySgIksE9BNjamMbMW8Zv G039yyxbpcRpUlUzuVbVvodKtDnUbknwo jsBzsoO8g==">

Rails checks this hidden tag on form submission to make sure it's the same form that Rails generated in the first place. This helps prevent CSRF attacks

If this field's value doesn't match what Rails expects, it goes to the handle_unverified_request method you mentioned.

And it's not just forms, Rails can add tokens to the session to make sure it can match a request to an active session.

Regardless of the source, if Rails gets a mis-match, it wants to handle that as a security threat.

In essence, Rails is asking you "what should I do when I think the request I received is unverified and potentially an attack?"

In this case, Rails would reset_session which logs out the current_user.

Rails allows you to turn off or limit CSRF protection in cases where you may need to do strange things, but it's not advisable in any instances I'm familiar with. You can do this by changing the options on protect_from_forgery as mentioned in the SO post you linked.

CodePudding user response:

  def handle_unverified_request
    reset_connection
    # validate only for html submit and not for ajax
    if request.post? && !request.xhr? && request.content_type != 'multipart/form-data'
      redirect_to controller: 'logout', action: 'index', is_invalid_token: true
    end
    return
  end

and then i have log out controller

if !params[:is_invalid_token].nil?
      flash[:notice] = "You dont have access with this."
      flash[:notice_header] = 'Forbidden Access'
    end

redirect_to :controller => 'login', :action => 'index'

Page link:https//www.codepudding.com/os/117321.html

Prev:Rails self reference one model with has_many
Next:How to retain PORO Form object field inputs?
  • Related

About Us:  Contact Us      Terms of Service       Privacy Policy

Copyright © 2010-2023,Powered By CodePudding