Rails 4 ActionController ::带有多个子域的InvalidAuthenticityToken

时间:2015-08-08 11:30:58

标签: ruby-on-rails session ruby-on-rails-4 subdomain

之前让我说我在Stackoverflow上搜索google和很多帖子,但没有什么能够为我的问题提供解决方案。为此,我正在创建一个新帖子。

我正在创建一个包含两个子域的应用程序:account.psantos.dev和app.psantos.dev。

在:config/initializers/session_store.rb我有:

Rails.application.config.session_store :cookie_store, key: '_psantos.co.ao_session', domain: 'psantos.dev'

我有以下结构文件夹:

  

- app
   - 控制器
  --- app1
  ---- welcome_controller.rb
  ---帐户
  ---- welcome_controller.rb
  --views
  ---布局
  ---- app1.html.erb
  ---- account.html.erb
  --- app1
  ----欢迎
  ----- index.html.erb
  ---帐户
  ----欢迎
  ----- index.html.erb

at:app/views/layout/app1.html.erbhttp://app1.psantos.dev)我有以下一行:

<li><%= "Logout", account_sign_out_url, method: :delete %></li>

当我点击此链接(将转到:http://account.psantos.dev)时,我收到以下错误:
ActionController::InvalidAuthenticityToken at /sign_out ActionController::InvalidAuthenticityToken

两个布局文件(app1.html.erb和account.html.erb)上的

我在&lt; \ head&gt;之前有这一行tag:

<%= csrf_meta_tags %>

我该如何解决这个问题?

更新:相关日志

Started GET "/" for 127.0.0.1 at 2015-08-08 12:37:03 +0100 Processing
by APP1::WelcomeController#index as HTML   Parameters:
{"subdomain"=>"app1"}   Rendered app1/welcome/index.html.erb within
layouts/app1 (0.4ms)   [1m[35mEntity Load (0.3ms)[0m  SELECT 
"entities".* FROM "entities" WHERE "entities"."user_token" = $1 LIMIT
1  [["user_token", "xxxxxxxxxxxxxxxxxxxx"]] Completed 200 OK in 43ms
(Views: 42.0ms | ActiveRecord: 0.3ms)


Started DELETE "/sign_out" for 127.0.0.1 at 2015-08-08 12:37:05 +0100
Processing by Account::SessionsController#destroy as HTML  
Parameters: {"subdomain"=>"account"} Can't verify CSRF token
authenticity Completed 422 Unprocessable Entity in 1ms (ActiveRecord:
0.0ms)

ActionController::InvalidAuthenticityToken -
ActionController::InvalidAuthenticityToken:   actionpack (4.2.3)
lib/action_controller/metal/request_forgery_protection.rb:181:in
`handle_unverified_request'   actionpack (4.2.3)
lib/action_controller/metal/request_forgery_protection.rb:209:in
`handle_unverified_request'   actionpack (4.2.3)
lib/action_controller/metal/request_forgery_protection.rb:204:in
`verify_authenticity_token'   activesupport (4.2.3)
lib/active_support/callbacks.rb:430:in `block in make_lambda'  
activesupport (4.2.3) lib/active_support/callbacks.rb:143:in `block in
halting_and_conditional'   activesupport (4.2.3)
lib/active_support/callbacks.rb:502:in `block in call'   activesupport
(4.2.3) lib/active_support/callbacks.rb:502:in `call'

1 个答案:

答案 0 :(得分:1)

现在无法做到:删除子域请求。

  

jquery-ujs和jquery-rails中存在一个漏洞,可用于绕过CSP保护,并允许攻击者将CSRF令牌发送到攻击者域。已为此漏洞分配了CVE标识符CVE-2015-1840。受影响的版本:全部。不受影响:不使用jquery-ujs或jquery-rails的应用程序。修正版本:jquery-rails版本4.0.4和3.1.3以及jquery-ujs 1.0.4。影响------在攻击者可能能够控制锚标记的href属性或将触发POST操作的表单标记的action属性的情况下,攻击者可以将href或action设置为& #34; https://attacker.com&#34; (注意前导空格)将传递给JQuery,JQuery将其视为同一原始请求,并将用户的CSRF令牌发送到攻击者域。

这是jquery-ujs的commitimage with diff code in jquery-ugs

您可以阅读更多here

相关问题
最新问题