[Facebooker-talk] form_tag and form_for cause #protect_from_forgery errors
BJ Clark
bjclark at scidept.com
Wed Apr 9 12:28:36 EDT 2008
Mike,
My secret is not commented out. Is there any way to test this stuff in
script/console?
environment.rb:
# Your secret key for verifying cookie session data integrity.
# If you change this key, all old sessions will become invalid!
# Make sure the secret is at least 30 characters and all random,
# no regular words or you'll be exposed to dictionary attacks.
config.action_controller.session = {
:session_key => '_yyy_session',
:secret => 'xxx'
}
# Use the database for sessions instead of the cookie-based default,
# which shouldn't be used to store highly confidential information
# (create the session table with 'rake db:sessions:create')
config.action_controller.session_store = :active_record_store
I'm not sure what's up.
Thanks,
BJ Clark
On Apr 8, 2008, at 7:06 PM, Mike Mangino wrote:
> If you generate an application with Rails 2.0, it will put the
> following section in environment.rb
>
> # Your secret key for verifying cookie session data integrity.
> # If you change this key, all old sessions will become invalid!
> # Make sure the secret is at least 30 characters and all random,
> # no regular words or you'll be exposed to dictionary attacks.
>
> config.action_controller.session = {
> :session_key => '_app_session',
> :secret => 'longstring'
> }
>
> just uncomment the secret and you should be good to go.
>
> Mike
>
> On Apr 8, 2008, at 7:21 PM, BJ Clark wrote:
>> Hey All,
>>
>> I'm trying to do a simple form_for (and I also get it with form_tag)
>> and I'm getting the following error:
>>
>> ActionView::TemplateError (No :secret given to the
>> #protect_from_forgery call. Set that or use a session store capable
>> of generating its own keys (Cookie Session Store).) on line #2 of
>> users/new.fbml.erb:
>> 1: <h1>Welcome To Courses, Let's Get Started.</h1>
>> 2: <% form_for :user, user_path, :method => :post do |form| %>
>> 3: <fb:editor-custom label="You are a">
>> 4: <label><%= radio_button_tag 'user_type', 'student', true %>
>> Student</label>
>> 5: <label><%= radio_button_tag 'user_type', 'instructor' %>
>> Teacher</
>> label>
>>
>> vendor/rails/actionpack/lib/action_controller/
>> request_forgery_protection.rb:114:in `form_authenticity_token'
>> (eval):2:in `send'
>> (eval):2:in `form_authenticity_token'
>> vendor/rails/actionpack/lib/action_view/helpers/
>> form_tag_helper.rb:453:in `token_tag'
>> vendor/rails/actionpack/lib/action_view/helpers/
>> form_tag_helper.rb:430:in `extra_tags_for_form'
>> vendor/rails/actionpack/lib/action_view/helpers/
>> form_tag_helper.rb:438:in `form_tag_html'
>> vendor/rails/actionpack/lib/action_view/helpers/
>> form_tag_helper.rb:41:in `form_tag'
>> vendor/rails/actionpack/lib/action_view/helpers/form_helper.rb:
>> 204:in `form_for'
>> app/views/users/new.fbml.erb:2:in
>> `_run_erb_47app47views47users47new46fbml46erb'
>>
>>
>> I've got this in my application.rb:
>> config.action_controller.session_store = :active_record_store
>> config.action_controller.session = {
>> :session_key => '_app_session',
>> :secret => 'xxx'
>> }
>>
>>
>> What's the trick for getting around this?
>>
>> Thanks,
>> BJ Clark
>>
>> _______________________________________________
>> Facebooker-talk mailing list
>> Facebooker-talk at rubyforge.org
>> http://rubyforge.org/mailman/listinfo/facebooker-talk
>
> --
> Mike Mangino
> http://www.elevatedrails.com
>
>
>
More information about the Facebooker-talk
mailing list