[LRUG] How to *not* add an authenticity token to a form

Matthew Rudy Jacobs matthewrudyjacobs at gmail.com
Thu Jul 23 03:06:50 PDT 2009


2009/7/23 Craig Webster <craig at xeriom.net>

> Have you tried turning off forgery protection just for the actions
> that you're not interested in protecting using `skip_before_filter
> :verify_authenticity_token`?


this seems to be the right thing.

from the rails docs;
==========
*verify_authenticity_token*()

The actual before_filter that is used. Modify this to change how you handle
unverified requests.
 ==========

>
>
> When you say it seems like a nice place to cache, have you done any
> profiling? Will this actually give you a significant boost or does it
> just increase complexity?
>
> Cheers,
> Craig
>
> On Thu, Jul 23, 2009 at 10:51, Taryn East<teast at globalpersonals.co.uk>
> wrote:
> > In my mind, the signup/login forms shouldn't need to be individual to a
> > user, and there may be other places...
> > It just seems like it'd be a nice place to cache...
> > Taryn
> >
> > 2009/7/23 Matthew Rudy Jacobs <matthewrudyjacobs at gmail.com>
> >>
> >> What's your particular need for action caching on this particular
> action?
> >>
> >> Could you not fragment cache anything difficult,
> >> and keep the form fresh?
> >>
> >> 2009/7/23 Taryn East <teast at globalpersonals.co.uk>
> >>>
> >>> Hi all,
> >>>
> >>> I'm running up against the "page/action cacheing vs forgery-protection"
> >>> issue described in various places eg here:
> >>>
> http://mandarinsoda.com/2008/01/29/stupid-rails-mistakes-caching-and-authenticity-tokens/
> >>>
> >>> Now - all the "solutions" that seem to be available say "turn off
> forgery
> >>> protection"... but surely that isn't the only option out there. It
> seems so
> >>> drastic (and dangerous).
> >>>
> >>> Is there no way to render a form without the authenticity token? No
> other
> >>> ideas?
> >>>
> >>> Any ideas welcome :)
> >>>
> >>> Cheers,
> >>> Taryn
> >>>
> >>> _______________________________________________
> >>> Chat mailing list
> >>> Chat at lists.lrug.org
> >>> http://lists.lrug.org/listinfo.cgi/chat-lrug.org
> >>>
> >>
> >>
> >> _______________________________________________
> >> Chat mailing list
> >> Chat at lists.lrug.org
> >> http://lists.lrug.org/listinfo.cgi/chat-lrug.org
> >>
> >
> >
> > _______________________________________________
> > Chat mailing list
> > Chat at lists.lrug.org
> > http://lists.lrug.org/listinfo.cgi/chat-lrug.org
> >
> >
>
>
>
> --
> Craig Webster   | http://barkingiguana.com/~craig<http://barkingiguana.com/%7Ecraig>
> Xeriom Networks | http://xeriom.net/
> _______________________________________________
> Chat mailing list
> Chat at lists.lrug.org
> http://lists.lrug.org/listinfo.cgi/chat-lrug.org
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.lrug.org/pipermail/chat-lrug.org/attachments/20090723/6f130eba/attachment.html>


More information about the Chat mailing list