Question

我最近从在cookie中存储会话数据切换到将其存储在数据库中。

现在每个POST请求都会导致 ActionController :: InvalidAuthenticityToken 错误。它只发生在Firefox中，并且仅在我的家用机器上（我今天在同一版本的FF中尝试了它，一切都很好）。这让我相信这与我昨天删除的cookie有关...

这是environment.rb的相关部分：

# Your secret key for verifying cookie session data integrity.
# If you change this key, all old sessions will become invalid!
# Make sure the secret is at least 30 characters and all random, 
# no regular words or you'll be exposed to dictionary attacks.
config.action_controller.session = {
:session_key => '_basillslam_session',
:secret      => '373ee5b69a4a31d3318485fs368c41fac6b797a1f5c35693b49bd34e8a96291b92dd577bd49de7aeea56c9ffa1af2d8386bafe857220cafacfa0028f01be357d78'
}

# Use the database for sessions instead of the cookie-based default,
# which shouldn't be used to store highly confidential information
# (create the session table with 'rake db:sessions:create')
config.action_controller.session_store = :active_record_store

在application.rb中：

protect_from_forgery :secret => 'f1d54db45b47ec94a6a54b1e744fafa6'

以下是抛出错误的完整跟踪部分：

C:/INSTAN~1/ruby/lib/ruby/gems/1.8/gems/actionpack-2.0.2/lib/action_controller/request_forgery_protection.rb:79:in `verify_authenticity_token'
C:/INSTAN~1/ruby/lib/ruby/gems/1.8/gems/actionpack-2.0.2/lib/action_controller/filters.rb:469:in `send!'
C:/INSTAN~1/ruby/lib/ruby/gems/1.8/gems/actionpack-2.0.2/lib/action_controller/filters.rb:469:in `call'
C:/INSTAN~1/ruby/lib/ruby/gems/1.8/gems/actionpack-2.0.2/lib/action_controller/filters.rb:441:in `run'
C:/INSTAN~1/ruby/lib/ruby/gems/1.8/gems/actionpack-2.0.2/lib/action_controller/filters.rb:716:in `run_before_filters'
C:/INSTAN~1/ruby/lib/ruby/gems/1.8/gems/actionpack-2.0.2/lib/action_controller/filters.rb:695:in `call_filters'
C:/INSTAN~1/ruby/lib/ruby/gems/1.8/gems/actionpack-2.0.2/lib/action_controller/filters.rb:689:in `perform_action_without_benchmark'
C:/INSTAN~1/ruby/lib/ruby/gems/1.8/gems/actionpack-2.0.2/lib/action_controller/benchmarking.rb:68:in `perform_action_without_rescue'
C:/INSTAN~1/ruby/lib/ruby/1.8/benchmark.rb:293:in `measure'
C:/INSTAN~1/ruby/lib/ruby/gems/1.8/gems/actionpack-2.0.2/lib/action_controller/benchmarking.rb:68:in `perform_action_without_rescue'
C:/INSTAN~1/ruby/lib/ruby/gems/1.8/gems/actionpack-2.0.2/lib/action_controller/rescue.rb:199:in `perform_action_without_caching'
C:/INSTAN~1/ruby/lib/ruby/gems/1.8/gems/actionpack-2.0.2/lib/action_controller/caching.rb:678:in `perform_action'
C:/INSTAN~1/ruby/lib/ruby/gems/1.8/gems/activerecord-2.0.2/lib/active_record/connection_adapters/abstract/query_cache.rb:33:in `cache'
C:/INSTAN~1/ruby/lib/ruby/gems/1.8/gems/activerecord-2.0.2/lib/active_record/query_cache.rb:8:in `cache'
[etc. ... ]

以前有人经历过这个吗？或者有人知道为什么会这样吗？

Answer 1

当我切换我的一个网站时，发生了同样的事情。在您的家庭Firefox浏览器中删除该站点的Rails会话cookie。

只有在您使用cookie存储的预先存在的会话时才会发生这种情况。所以，希望只有您和您的浏览器才能看到问题。删除cookie后，您再也不会看到错误了。

使用数据库中的会话并且只有随机密钥映射到浏览器cookie中的该会话，不再需要会话保护魔法。

Answer 2

感谢Otto，我现在知道发生这种情况的原因。虽然，我能够通过在正在发布的表单中编写<%= token_tag %>来解决问题。 token_tag在表单中放置一个包含真实性标记的隐藏字段，因此 ActionController :: InvalidAuthenticityToken错误消失。

Answer 3

如果您的应用上有多个用户，那么删除所有Cookie并不容易。当您切换到数据库存储时，为了防止cookie和数据库存储之间的会话数据冲突，您也可以更改

config.action_controller.session[:session_key]

protect_from_forgery与Firefox

3 个答案: