tags:

views:

378

answers:

4
+1  Q: 

Rails simple form gives InvalidAuthenticityToken error

I have a simple form like this:

<form name="serachForm" method="post" action="/home/search">   
  <input type="text" name="searchText" size="15" value="">
  <input class="image" name="searchsubmit" value="Busca" src="/images/btn_go_search.gif" align="top" border="0" height="17" type="image" width="29">
</form>

And a controller with this method:

  def busca
    puts params[:searchText]
  end

When I do a click on the image button in the form I get a ActionController::InvalidAuthenticityToken. here's the full StackTrace:

/Library/Ruby/Gems/1.8/gems/actionpack-2.2.2/lib/action_controller/request_forgery_protection.rb:86:in verify_authenticity_token' /Library/Ruby/Gems/1.8/gems/activesupport-2.2.2/lib/active_support/callbacks.rb:178:in send' /Library/Ruby/Gems/1.8/gems/activesupport-2.2.2/lib/active_support/callbacks.rb:178:in evaluate_method' /Library/Ruby/Gems/1.8/gems/activesupport-2.2.2/lib/active_support/callbacks.rb:166:in call' /Library/Ruby/Gems/1.8/gems/actionpack-2.2.2/lib/action_controller/filters.rb:225:in call' /Library/Ruby/Gems/1.8/gems/actionpack-2.2.2/lib/action_controller/filters.rb:629:in run_before_filters' /Library/Ruby/Gems/1.8/gems/actionpack-2.2.2/lib/action_controller/filters.rb:615:in call_filters' /Library/Ruby/Gems/1.8/gems/actionpack-2.2.2/lib/action_controller/filters.rb:610:in perform_action_without_benchmark' /Library/Ruby/Gems/1.8/gems/actionpack-2.2.2/lib/action_controller/benchmarking.rb:68:in perform_action_without_rescue' /Library/Ruby/Gems/1.8/gems/actionpack-2.2.2/lib/action_controller/benchmarking.rb:68:in perform_action_without_rescue' /Library/Ruby/Gems/1.8/gems/actionpack-2.2.2/lib/action_controller/rescue.rb:136:in perform_action_without_caching' /Library/Ruby/Gems/1.8/gems/actionpack-2.2.2/lib/action_controller/caching/sql_cache.rb:13:in perform_action' /Library/Ruby/Gems/1.8/gems/activerecord-2.2.2/lib/active_record/connection_adapters/abstract/query_cache.rb:34:in cache' /Library/Ruby/Gems/1.8/gems/activerecord-2.2.2/lib/active_record/query_cache.rb:8:in cache' /Library/Ruby/Gems/1.8/gems/actionpack-2.2.2/lib/action_controller/caching/sql_cache.rb:12:in perform_action' /Library/Ruby/Gems/1.8/gems/actionpack-2.2.2/lib/action_controller/base.rb:524:in send' /Library/Ruby/Gems/1.8/gems/actionpack-2.2.2/lib/action_controller/base.rb:524:in process_without_filters' /Library/Ruby/Gems/1.8/gems/actionpack-2.2.2/lib/action_controller/filters.rb:606:in process_without_session_management_support' /Library/Ruby/Gems/1.8/gems/actionpack-2.2.2/lib/action_controller/session_management.rb:134:in process' /Library/Ruby/Gems/1.8/gems/actionpack-2.2.2/lib/action_controller/base.rb:392:in process' /Library/Ruby/Gems/1.8/gems/rails-2.2.2/lib/webrick_server.rb:74:in service' /Library/Ruby/Gems/1.8/gems/rails-2.2.2/lib/commands/servers/webrick.rb:66 /Library/Ruby/Gems/1.8/gems/activesupport-2.2.2/lib/active_support/dependencies.rb:153:in require' /Library/Ruby/Gems/1.8/gems/activesupport-2.2.2/lib/active_support/dependencies.rb:521:in new_constants_in' /Library/Ruby/Gems/1.8/gems/activesupport-2.2.2/lib/active_support/dependencies.rb:153:in require' /Library/Ruby/Gems/1.8/gems/rails-2.2.2/lib/commands/server.rb:49

What is happening?

A: 

protect_from_forgery :only => [:create, :update, :destroy] will save You some trouble :) (in Your Controller class)

astropanic  2009-09-05 18:44:10
It didn't work. I noticed that when I remove the "method = post" the error doesn't appear anymore.
Daniel Cukier  2009-09-05 19:29:05
+2  A: 

By default, all none-GET actions requires the authenticity token to be passed along with the request. Rails uses the authenticity token to avoid CSRF attacks.

The easiest way to ensure that it is always in place, is to use the form_tag helper instead of writing the HTML by hand.

<% form_tag "/home/search", :name => "searchForm" do %>
  fields here
<% end %>
August Lilleaas  2009-09-05 22:39:33
There sure is. I stand corrected! :)
August Lilleaas  2009-09-06 15:57:11
A: 

If you don't use helpers to generate your form tags, this is how you manually generate the hidden field with the authenticity token:

<input type="hidden" value="<%= form_authenticity_token() %>" name="authenticity

_token"/>

 2009-09-06 12:09:15
+1  A: 

Along the lines of Nat, adding 

<%= token_tag %>

just after the HTML "form" tag works

Straff  2009-11-03 07:43:53

related questions

Infopath 2007 - Emailed forms not rendering correctly
What can prevent an MS Access 2000 form from closing?
Form library
Trigger update on DataTable bound to DataGridView
What's a clean/simple way to ensure the security of a page?
How to best merge information, at a server, into a "form", a PDF being generated as the final output
In HTML, what should happen to a selected, disabled option element?
What's the state of play with "Visual Inheritance"
ASP.NET MVC Preview 4 - Stop Url.RouteUrl() etc. using existing parameters
HTTP POST question - I'm stuck
InfoPath 2003 and the xs:any type
Retrieving HTTP status code from loaded iframe with Javascript
Data model for a extensible web form
.Net Compact Framework scrollbars - horizontal always show when vertical shows
MVC - where to implement form validation (server-side)?
Offline forms
MVC .Net - The best way to write a form?
Windows Forms Threading and Events - ListBox updates promptly but progressbar experiences huge delay
What is the best way to upload a file via an HTTP POST with a web form?
Delphi MDI Application and the titlebar of the MDI Children
Use the routing engine for form submissions in ASP.NET MVC Preview 4
How Do I Post and then redirect to an external URL from ASP.Net?
Is a "Confirm Email" input good practice when user changes email address?
WinForms ComboBox data binding gotcha
How do I access a remote form in php?