Protect_from_Forgery usage

Hi All,

I just get my hands on protect_from_forgery, and I have written something simple login as below:

my client-side

        WWWForm form = new WWWForm();
        form.AddField("id", id);
        form.AddField("pw", pw);
        WWW www = new WWW(mainUrl + "login/", form);

At the server side, in my application_controller.rb I have

       protect_from_forgery with: :null_session, if: { |c| c.request.format == 'application/json' }

I have tried running my client, and on the surface it seems OK; that I can login my client. However, when looking at my console (I am working on Win platform), I saw that it says:

WARNING: Can't verify CSRF token authenticity

I have tried to look up my questions on the internet, but I couldn't find very detailed explanation on what I'd like to know, hence I hope I can seek any help here:
1. a lot of people say that to get rid of the warning I need to add skip_before_filter :verify_authenticity_token, but this seems will get rid of the authenticating; which I should've kept.

2. I couldn't find any detail on the options for protect_from_forgery; I'd appreciate if anyone of any side that I can get a detailed explanation on that the options following  with: null_session, if: { |c| c.request.format == 'application/json' }

3. How can I make sure that my form is using and passing the CSRF authentication?

4. Is the secret key used in protect_from_forgery the one in config/initializer/secret_token.rb?

Thanks all in advance for helping me on my questions! :)

0 Answers

No answers yet