Hi All,
I just get my hands on protect_from_forgery, and I have written something simple login as below:
my client-side
WWWForm form = new WWWForm();
form.AddField(“id”, id);
form.AddField(“pw”, pw);
WWW www = new WWW(mainUrl + "login/", form);
At the server side, in my application_controller.rb I have
protect_from_forgery with: :null_session, if: Proc.new { |c| c.request.format == ‘application/json’ }
I have tried running my client, and on the surface it seems OK; that I can login my client. However, when looking at my console (I am working on Win platform), I saw that it says:
WARNING: Can’t verify CSRF token authenticity
I have tried to look up my questions on the internet, but I couldn’t find very detailed explanation on what I’d like to know, hence I hope I can seek any help here:
-
a lot of people say that to get rid of the warning I need to add
skip_before_filter :verify_authenticity_token
, but this seems will get rid of the authenticating; which I should’ve kept. -
I couldn’t find any detail on the options for protect_from_forgery; I’d appreciate if anyone of any side that I can get a detailed explanation on that the options following
with: null_session, if: Proc.new { |c| c.request.format == ‘application/json’ }
-
How can I make sure that my form is using and passing the CSRF authentication?
-
Is the secret key used in protect_from_forgery the one in config/initializer/secret_token.rb?
Thanks all in advance for helping me on my questions!