我正在使用Devise处理Web应用程序的身份验证,并将其设置为与Ajax一起工作,如这个博文。它工作正常,我可以登出。但是,有一个异常:每个请求都会重新生成CSRF令牌。无论用户是否登录,即使请求是GET,尽管我在任何地方读取令牌在会话期间不应该更改,但是这是否发生。这迫使我添加一个机制来更新客户端上的令牌,因为它不会自动完成,因为我使用Ajax。有人可以告诉我,如果这已经成为新的默认,或者如果不是,我可能做错了什么?
I am using Devise to handle authentification in a web application, and I set it up to work with Ajax as explained on this blog post. It works fine, I can sign in and out. However, there is an anomaly: the CSRF token is regenerated at every request. This happens whether the user is signed in or not, and even if the request is a GET, although I keep reading everywhere that the token should not change during a session. This forces me to add a mechanism to update the token on the client, since it is not done automatically because I use Ajax. Could someone tell me if this has somehow become the new default, or if not, what I could possibly have done wrong?
使用的版本:Rails 4.2.5,Ruby 2.2 .4,Devise 3.5.3。
Versions used: Rails 4.2.5, Ruby 2.2.4, Devise 3.5.3.
推荐答案我终于弄清楚了。
我使用上述博文中提供的代码通过调用 form_authenticity_token 获取CSRF令牌。正如我终于发现,Rails 4.2.1引入了一个新的实现,调用 masked_authenticity_token ,这就是为什么我认为令牌被重置。其实没有,只有一个随机屏蔽的版本被发送。这在源历史记录中很清楚。可以在当前Rails版本中获得实际的令牌,如: session [:_ csrf_token] 。这可能是有用的,以检查令牌不会改变,不应该,这是我正在努力做的。
I used the code provided in the above blog post to get the CSRF token by calling form_authenticity_token. As I finally found out, Rails 4.2.1 introduced a new implementation that calls masked_authenticity_token, which is why I thought the token was being reset. In fact it was not, only a randomly masked version of it was sent. This is clear in the source history. One can get the actual token in current Rails version like so: session[:_csrf_token]. This can be useful to check that the token does not change when it should not, which is what I was trying to do.
我希望这个答案可以对某人有用。这当然需要我找到它。
I hope this answer can be useful to someone. It certainly took me time to find it.
更多推荐
RoR +设计:CSRF令牌在每次请求时都会更改
发布评论