[LRUG] How to *not* add an authenticity token to a form

Matthew Rudy Jacobs matthewrudyjacobs at gmail.com
Thu Jul 23 03:23:26 PDT 2009


Well

2009/7/23 Taryn East <teast at globalpersonals.co.uk>

> 2009/7/23 Matthew Rudy Jacobs <matthewrudyjacobs at gmail.com>
>
>>
>> 2009/7/23 Craig Webster <craig at xeriom.net>
>>
>>> Have you tried turning off forgery protection just for the actions
>>> that you're not interested in protecting using `skip_before_filter
>>> :verify_authenticity_token`?
>>
>>
>> this seems to be the right thing.
>>
>> from the rails docs;
>> ==========
>> *verify_authenticity_token*()
>>
>> The actual before_filter that is used. Modify this to change how you
>> handle unverified requests.
>>
> Yes - this is the solution I mentioned in my post - I know you can turn off
> verification... but my question is - surely there's another way?
>

With "skip_before_filter" you can turn it off per action.

If you only requirement is to forget about authenticity tokens for the
"signup" page,
then,
this seems like your best bet,

unless you're going to ajax in an authenticity token
which is going to undo the benefit of caching in the first place?


>
>
>
>>  When you say it seems like a nice place to cache, have you done any
>>> profiling? Will this actually give you a significant boost or does it
>>> just increase complexity?
>>
>>
> Nope - no profiling... this is idle speculation on what could-be... which
> is also interesting, IMO, even if lower priority than actual pain-points.
>
> Taryn
>
>
>
> _______________________________________________
> Chat mailing list
> Chat at lists.lrug.org
> http://lists.lrug.org/listinfo.cgi/chat-lrug.org
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.lrug.org/pipermail/chat-lrug.org/attachments/20090723/06a41b47/attachment-0003.html>


More information about the Chat mailing list