Rails 4 Authenticity Token
I think I just figured it out. I changed the (new) default
protect_from_forgery with: :exception
to
protect_from_forgery with: :null_session
as per the comment in ApplicationController
.
# Prevent CSRF attacks by raising an exception.# For APIs, you may want to use :null_session instead.
You can see the difference by looking at the source for request_forgery_protecton.rb
, or, more specifically, the following lines:
In Rails 3.2:
# This is the method that defines the application behavior when a request is found to be unverified.# By default, \Rails resets the session when it finds an unverified request.def handle_unverified_request reset_sessionend
In Rails 4:
def handle_unverified_request forgery_protection_strategy.new(self).handle_unverified_requestend
Which will call the following:
def handle_unverified_request raise ActionController::InvalidAuthenticityTokenend
Instead of turn off the csrf protection, it's better to add the following line of code into the form
<%= tag(:input, :type => "hidden", :name => request_forgery_protection_token.to_s, :value => form_authenticity_token) %>
and if you're using form_for or form_tag to generate the form, then it will automatically add the above line of code in the form
Adding the following line into the form worked for me:
<%= hidden_field_tag :authenticity_token, form_authenticity_token %>