IE / Safari没有正确保存/读取cookie CSRF?

时间:2012-11-07 14:48:14

标签: ruby-on-rails-3 cookies heroku

我有一个基于Michael Hartl的Ruby on Rails教程(第二版)的用户模型。它在Linux盒子本地托管的实践中运行良好但是当我部署到Heroku时,IE和Safari存在问题。 (Chrome和firefox工作得很好。)我使用cookie来设置我在网站上不断调用的值current_user。

这是我的sessions_helper.rb

module SessionsHelper

  def sign_in(user)
    cookies.permanent[:remember_token] = user.remember_token
    self.current_user = user
  end

  def signed_in?
    !current_user.nil?
  end

  def current_user=(user)
    @current_user = user
  end

  def current_user
    @current_user ||= User.find_by_remember_token(cookies[:remember_token])
  end

  def current_user?(user)
    user == current_user
  end

  def signed_in_user
    unless signed_in?
      store_location
      redirect_to signin_url, notice: "Please sign in." 
    end
  end

  def sign_out
    self.current_user = nil
    cookies.delete(:remember_token)
  end

  def redirect_back_or(default)
    redirect_to(session[:return_to] || default)
    session.delete(:return_to)
  end

  def store_location
    session[:return_to] = request.url
  end
end

我的会话控制器如下:     class SessionsController< ApplicationController中

  def new
  end

  def create
    user = User.find_by_email(params[:session][:email].downcase)
    if user && user.authenticate(params[:session][:password])
      sign_in user
      redirect_back_or user
    else
      flash.now[:error] = 'Invalid email/password combination'
      render 'new'
    end
  end

  def destroy
    sign_out
    redirect_to root_url
  end

end

再次当我创建用户/登录时,它仅在IE8中丢失我的cookie>和Safari。 这是我得到的日志。

2012-11-06T19:28:08+00:00 app[web.1]: Started POST "/sessions" for XXX.XXX.XXX.XXX at  2012-11-06 19:28:08 +0000
2012-11-06T19:28:08+00:00 app[web.1]: Processing by SessionsController#create as HTML
2012-11-06T19:28:08+00:00 app[web.1]: Parameters: {"utf8"=>"â", "authenticity_token"=>"Eh3xta4VHlHgBVEKiLn3CRKgWb5xFbAx91eNJlYFySs=", "session"=>{"email"=>"A@User.com", "password"=>"[FILTERED]"}, "commit"=>"Sign in"}
2012-11-06T19:28:08+00:00 app[web.1]: WARNING: Can't verify CSRF token authenticity
2012-11-06T19:28:08+00:00 app[web.1]: Redirected to https://some-app_1234.herokuapp.com/users/1
2012-11-06T19:28:08+00:00 app[web.1]: Completed 302 Found in 391ms (ActiveRecord: 16.1ms)
2012-11-06T19:28:08+00:00 heroku[router]: POST some-app-1234.herokuapp.com/sessions dyno=web.1 queue=0 wait=0ms service=508ms status=302 bytes=114
2012-11-06T19:28:09+00:00 app[web.1]:
2012-11-06T19:28:09+00:00 app[web.1]:
2012-11-06T19:28:09+00:00 app[web.1]: Started GET "/users/1" for XXX.XXX.XXX.XXX at     2012-11-06 19:28:09 +0000
2012-11-06T19:28:09+00:00 app[web.1]: Processing by UsersController#show as HTML
2012-11-06T19:28:09+00:00 app[web.1]: Parameters: {"id"=>"1"}
2012-11-06T19:28:09+00:00 app[web.1]: Rendered shared/_stats.html.erb (205.2ms)
2012-11-06T19:28:09+00:00 app[web.1]: Rendered microposts/_micropost.html.erb (15.0ms)
2012-11-06T19:28:09+00:00 app[web.1]: Rendered users/show.html.erb within layouts/application (247.6ms)
2012-11-06T19:28:09+00:00 app[web.1]: Rendered layouts/_shim.html.erb (0.0ms)
2012-11-06T19:28:09+00:00 app[web.1]: Rendered layouts/_header.html.erb (1.2ms)
2012-11-06T19:28:09+00:00 app[web.1]: Rendered layouts/_footer.html.erb (0.3ms)
2012-11-06T19:28:09+00:00 app[web.1]: Completed 200 OK in 256ms (Views: 52.5ms | ActiveRecord: 202.4ms)
2012-11-06T19:28:09+00:00 heroku[router]: GET some-app-1234.herokuapp.com/users/1 dyno=web.1 queue=0 wait=0ms service=544ms status=200 bytes=2394

1 个答案:

答案 0 :(得分:0)

问题是我使用iframe转发dns!这使得cookie成为第三方cookie。如果我转发到实际的heroku地址,它就可以解决问题。希望我的愚蠢帮助别人。