tags:

views:

24

answers:

1
Q: 

Rails Cookie detection?

Hi i'm newbie with rails amd just realized that my Rails App that i created with a beginner tutorial needs cookies to work properly, otherwise after submiting a form it gives the error ActionController::InvalidAuthenticityToken.

How can i implement in an easy way a cookie detection?

+1  A: 

InvalidAuthenticityToken means that you're not sending the correct CSRF token with your form. You should be building your form with the built-in Rails methods. These cause a hidden authenticity_token input to be inserted into your form. Rails will verify the authenticity_token when the form is submitted.

What leads you to believe that 'cookie detection' is part of the problem?

Bob Aman  2010-10-01 20:18:54
Hi Bob, i think we misunderstood each other. The authenticity_token is implemented in the form and activated and works, but just when the user allows cookies for the page. The problem is when cookies aren't allowed to set. It gives the InvalidAuthenticityToken error page. I'm searching for a simple way to implent a dectection if the user has enabled cookies, so if not i would like to show him a message to turn cookies on so that the page works properly.
12d3  2010-10-01 20:24:37
don't you think the problem is caused by disabled cookies?
12d3  2010-10-01 20:37:01
http://www.ruby-forum.com/topic/187822 confirms that this seems to be a cookie problem
12d3  2010-10-01 21:00:51
Right, CSRF requires a session store because you have to verify that the token was issued to the user. The obvious alternative is to turn CSRF off or use some other state mechanism if you really can't use cookies. However, other state mechanisms are not supported natively in Rails.
Bob Aman  2010-10-01 21:04:44
Hi Bob, i don't want to turn it off. i thought about a solution like mentioned here http://railsforum.com/viewtopic.php?id=40755 unfortunately this code seems not to work: def new flash.now[:alert] = "You need to enable cookies!" if params[:cookies_disabled] == "1"end
12d3  2010-10-01 21:25:00
CSRF protection requires some form of state to be maintained. Cookies are the standard mechanism here. You could use an alternate state management mechanism to circumvent the fact that your users have turned off cookies, but I don't recommend this. The correct thing to do is detect that cookies are being rejected and yell at your users. The user has made it clear that they don't want to be tracked, and you need to manage state. Those two goals are at odds with each other and attempting to circumvent this by doing something crazy like evercookies is not a great outcome.
Bob Aman  2010-10-03 21:34:53

related questions

Is there a rake task for backing up the data in your database?
How to represent cross-model information in MVC?
WYSIWYG editor gem for Rails?
Best Solution For Authentication in Ruby on Rails
Acts-as-readable Rails plugin Issue
Associating source and search keywords with account creation
Any tips on getting Rails to run with an Access back-end?
Being as DRY as possible in a Ruby on Rails App
How Do You Secure database.yml?
What IDE to use for developing in Ruby on Rails on windows?
Is Ruby On Rails ready for the Enterprise?
OpenID authentication in Ruby on Rails
Why Doesn't My Cron Job Work Properly?
Why does sqlite3-ruby-1.2.2 not work on OS X?
Ruby mixins and calling super methods
Why all the Active Record hate?
Haml: how do I set a dymanic class value?
Learning Ruby on Rails any good for Grails?
How to sell Python to a client/boss/person with lots of cash
How do I create a new Ruby on Rails application using MySQL instead of SQLite?
Ruby On Rails with Windows Vista - Best Setup?
What is good forum software to add to an existing Rails application?
How do I fix 'Unprocessed view path found' error with ExceptionNotifier plugin in rails 2.1?
Frequent SystemExit in Ruby when making HTTP calls
Implementation of "Remember me" in a Rails application.