Protect_from_Forgery usage

Hi All,

I just get my hands on protect_from_forgery, and I have written something simple login as below:

my client-side

WWWForm form = new WWWForm();
form.AddField(“id”, id);
form.AddField(“pw”, pw);

    WWW www = new WWW(mainUrl + "login/", form);

At the server side, in my application_controller.rb I have

protect_from_forgery with: :null_session, if: { |c| c.request.format == ‘application/json’ }

I have tried running my client, and on the surface it seems OK; that I can login my client. However, when looking at my console (I am working on Win platform), I saw that it says:

WARNING: Can’t verify CSRF token authenticity

I have tried to look up my questions on the internet, but I couldn’t find very detailed explanation on what I’d like to know, hence I hope I can seek any help here:

  1. a lot of people say that to get rid of the warning I need to add skip_before_filter :verify_authenticity_token, but this seems will get rid of the authenticating; which I should’ve kept.

  2. I couldn’t find any detail on the options for protect_from_forgery; I’d appreciate if anyone of any side that I can get a detailed explanation on that the options following with: null_session, if: { |c| c.request.format == ‘application/json’ }

  3. How can I make sure that my form is using and passing the CSRF authentication?

  4. Is the secret key used in protect_from_forgery the one in config/initializer/secret_token.rb?

Thanks all in advance for helping me on my questions! :slight_smile: