I am trying to figure out where authenticity tokens are being stored by rails4. On every request rails seems to generate a new token. But where are all of these tokens are stored exactly when using cookie store? I have looked through the session variable but could not find anything.
Asked
Active
Viewed 949 times
1
-
5read this http://stackoverflow.com/questions/941594/understanding-the-rails-authenticity-token – Max Williams Nov 10 '15 at 11:34
-
And where are the tokens stored exactly? How can I retrieve them? – Nghi93 Nov 10 '15 at 12:52
-
Try `authenticity_token_from_session_id` or `authenticity_token_from_cookie_session` – Max Williams Nov 10 '15 at 13:48
-
Where do I have to call this? I tried this in a controller, but it did not work. – Nghi93 Nov 11 '15 at 12:19
-
I think you should explain (in your question) what you are trying to achieve, and how you have tried to go about that so far, and what the actual problem is. – Max Williams Nov 11 '15 at 12:30
-
I try to understand how you can have multiple different authenticity tokens on every request. How does rails know that these are valid tokens? When reading the session[:_csrf_token] it always returns the same value. But in the formular on every request you get another one. Further, you can use the same token twice and they are still valid. – Nghi93 Nov 11 '15 at 12:52
1 Answers
2
I figured out how rails handles the storage and the validation of csrf tokens: I was looking for this http://apidock.com/rails/ActionController/RequestForgeryProtection. So the csrf token is stored in the session. Like I mentioned before, this token remains the same. But this token is used to generate the authenticity tokens which are shown on the forms (see http://apidock.com/rails/v4.2.1/ActionController/RequestForgeryProtection/masked_authenticity_token).
To validate the authenticity tokens there are the methods real_csrf_token and compare_with_real_token. So there is no need to store every single generated token like I thought in the first place.
Nghi93
- 71
- 2
- 5