ruby-on-rails – 无法验证CSRF令牌真实性Rails 4.1

前端之家收集整理的这篇文章主要介绍了ruby-on-rails – 无法验证CSRF令牌真实性Rails 4.1前端之家小编觉得挺不错的,现在分享给大家,也给大家做个参考。
我正在开发一个简单的网站,让管理员创建问题并解决用户问题.我使用ActiveAdmin作为管理员部分和简单的 AJAX调用用户解决部分.尝试通过ActiveAdmin :: Devise进行登录成功,但无法登录.我删除了所有的cookie,从那时起,我无法在没有CSRF令牌真实性异常的情况下进行POST操作.我的application.html.erb的头部中有正确的Meta_tags,声明 jquery_ujs(其他线程说它的一个常见问题),并且在这两个POST操作中,存在真实性令牌.我尝试甚至通过skip_before_filter避免验证:verify_authenticity_token,但ActiveAdmin登录和POST示例继续失败.日志如下,您可以看到令牌存在.如果任何一个破坏了CSRF,我也会显示Gemfile.

> Rails版本[4.1.0]
> Ruby版本[2.1]
> Phusion乘客版[4.0.41]

提前致谢.

application.html.erb

<head>
  <title>Introducción Matematicas</title>
  <%= stylesheet_link_tag    "application",media: "all"%>
  <%= javascript_include_tag "application","data-turbolinks-track" => true %>
  <link href="http://fonts.googleapis.com/css?family=Roboto:100,300,400,500,700|Roboto+Slab:300,400" rel="stylesheet" type="text/css">
  <%= csrf_Meta_tags %>
</head>

的application.js

//= require jquery
//= require jquery_ujs
//= require_tree ../../../vendor/assets/javascripts/.
//= require_tree .

应用控制器

class ApplicationController < ActionController::Base
  # Prevent CSRF attacks by raising an exception.
  # For APIs,you may want to use :null_session instead.
  protect_from_forgery with: :null_session
  #skip_before_filter :verify_authenticity_token
  before_filter :configure_permitted_parameters,if: :devise_controller?
  protected
  def configure_permitted_parameters
      devise_parameter_sanitizer.for(:sign_up) do |u|
        u.permit :name,:college,:email,:password,:password_confirmation
      end
  end
end

管理登录日志

INFO -- : Processing by ActiveAdmin::Devise::SessionsController#create as HTML
INFO -- :   Parameters: {"utf8"=>"✓","authenticity_token"=>"aRZK3470X6+FJPANEuHAiwVW4NZwMzCkXtoZ1qlhQ0o=","admin_user"=>{"email"=>"omar@gmail.com","password"=>"[FILTERED]","remember_me"=>"0"},"commit"=>"Login"}
WARN -- : Can't verify CSRF token authenticity
INFO -- : Completed 401 Unauthorized in 110ms
INFO -- : Processing by ActiveAdmin::Devise::SessionsController#new as HTML
INFO -- :   Parameters: {"utf8"=>"✓","commit"=>"Login"}
WARN -- : Can't verify CSRF token authenticity
INFO -- :   Rendered vendor/cache/ruby/2.1.0/bundler/gems/active_admin-a460d8d2ab37/app/views/active_admin/devise/shared/_links.erb (2.0ms)
INFO -- :   Rendered vendor/cache/ruby/2.1.0/bundler/gems/active_admin-a460d8d2ab37/app/views/active_admin/devise/sessions/new.html.erb within layouts/active_admin_logged_out (73.0ms)
INFO -- : Completed 200 OK in 302ms (Views: 80.2ms | ActiveRecord: 0.0ms)

通过AJAX日志简单的POST

INFO -- : Processing by QuestionsController#check_question as JS
INFO -- :   Parameters: {"utf8"=>"✓","que_id"=>"44","authenticity_token"=>"CjaAx+B36JPc1PUIhta0vIuOTKX4UhrFWlmYHAd+KWY=","question"=>{"id"=>"169"},"commit"=>"Verificar Respuesta","id"=>"6"}
WARN -- : Can't verify CSRF token authenticity
INFO -- :   Rendered answers/_answer.html.erb (1.2ms)
INFO -- :   Rendered questions/check_question.js.erb (17.0ms)
INFO -- : Completed 200 OK in 94ms

的Gemfile

source 'https://rubygems.org'
gem 'rails','4.1.0'
#gem 'ckeditor'
gem 'MysqL2',"0.3.15"
gem 'devise'
gem 'activeadmin',github: 'gregbell/active_admin'
gem 'sass-rails','~> 4.0.0'
gem 'uglifier','>= 1.3.0'
gem 'execjs'
gem 'therubyracer'
gem 'coffee-rails','~> 4.0.0'
gem 'jquery-rails'
gem 'turbolinks'
gem 'jbuilder','~> 1.2'
group :doc do
  gem 'sdoc',require: false
end
gem 'minitest'

解决方法

skip_before_filter:verify_authenticity_token

哇,不要这样做这是一个完整的黑客,如果你不经意地把这个代码留在你的代码中,你刚刚创建了一个严重的安全问题.

那么,为什么你删除你的cookies?如果我正确地阅读了您的问题,那是因为您的注销功能已损坏?你怎么知道为什么注销不起作用呢?可能不是一个好主意去创建另一个问题(绕过CSRF身份验证),而不是修复原来的问题.

同时重新启动本地开发服务器,并在浏览器中启动一个新的选项卡.看看这是否使CSRF的内容至少消失了,然后回到注销问题.

猜你在找的Ruby相关文章