request.session [' _csrf_token']和元标记csrf_token不匹配

时间:2016-02-19 20:56:11

标签: ruby-on-rails websocket csrf faye

我已经使用带有Faye in Rails 4.2

的websockets实现了实时聊天

现在我可以使用curl向频道发布消息,如:

curl http://localhost:3000/faye -d message={"channel":"/mychannel", "data": "my message"}'

为防止出现这种情况,我按照指南http://faye.jcoglan.com/security/csrf.html

进行了操作

但客户端总是有401错误

[,…]
0: {id: "8l", channel: "/meta/handshake", error: "401::Access denied", successful: false, version: "1.0",…}
advice: {reconnect: "handshake"}
channel: "/meta/handshake"
error: "401::Access denied"
id: "8l"
successful: false
supportedConnectionTypes: ["long-polling", "cross-origin-long-polling", "callback-polling", "websocket", "eventsource",…]
version: "1.0"

我还在CsrfProtection扩展名中调试令牌变量。他们总是不同。

Started POST "/faye" for 127.0.0.1 at 2016-02-20 02:53:59 +0600
session_token: "nICoUB0sDiwmNqbRpr1kUM7LtyBybCiddThnZceU7UI="
message_token: "PO5gD5tPwVMZifrUCsk8xnJXUIRZkhOU/vQ+ujbmQAugbshfhmPPfz+/XAWsdFiWvJznpCv+OwmLzFnf8XKtSQ=="

为什么它们有所不同,我如何实施csrf保护?

1 个答案:

答案 0 :(得分:0)

Rails代码中的方法可能会有所帮助:token validation

想法:在页面上你有Base64编码的值,你需要解码它

相关问题
最新问题