0
# This is the method that defines the application behavior when a request is found to be unverified.
# By default, Rails resets the session when it finds an unverified request.

def handle_unverified_request
  reset_session
end

I have seen this explanation at Rails 4 Authenticity Token

now my question is when and how every request sometimes become unverified? how it was hapenning? and when.

thankyou, i have tried to search it but i have seen explanation so deep-technical hence i can understand in an easy way

Chiperific
  • 4,428
  • 3
  • 21
  • 41
Poor programmer
  • 121
  • 12

2 Answers2

0

Rails adds a CSRF authenticity token to form submissions.

If you have a Rails-generated form in your browser and you inspect it, you'll see something like this:

<input type="hidden" name="authenticity_token" value="/LV6706J3W++oCASgg8+wuySgIksE9BNjamMbMW8Zv+G039yyxbpcRpUlUzuVbVvodKtDnUbknwo+jsBzsoO8g==">

Rails checks this hidden tag on form submission to make sure it's the same form that Rails generated in the first place. This helps prevent CSRF attacks

If this field's value doesn't match what Rails expects, it goes to the handle_unverified_request method you mentioned.

And it's not just forms, Rails can add tokens to the session to make sure it can match a request to an active session.

Regardless of the source, if Rails gets a mis-match, it wants to handle that as a security threat.

In essence, Rails is asking you "what should I do when I think the request I received is unverified and potentially an attack?"

In this case, Rails would reset_session which logs out the current_user.

Rails allows you to turn off or limit CSRF protection in cases where you may need to do strange things, but it's not advisable in any instances I'm familiar with. You can do this by changing the options on protect_from_forgery as mentioned in the SO post you linked.

Chiperific
  • 4,428
  • 3
  • 21
  • 41
  • Hi sir @chiperific, thankyou so much. your explanation was very clear that non professional at technical things would understand such explanation. I would like to clarify, my client just encounter this and what he did is he only log in. how come field's value doesn't match what Rails expects. meaning every user can encounter this rarely ? and lastly, how come that rails gets a mis-match with it. is it randomly ? – Poor programmer Oct 28 '20 at 03:53
  • There must be a mistake in the login code or in the basic application if Rails is getting CSRF issues immediately. Please provide details with code about your login process so we can take a look. – Chiperific Oct 28 '20 at 03:57
  • hi sir @chiperific, i have provided my sample code via "answer my question" kindly have a look. – Poor programmer Oct 28 '20 at 05:59
  • @Poorprogrammer, I faced a similar issue a while ago, maybe you've got the same problem: https://stackoverflow.com/questions/14227952/why-does-my-rails-app-think-im-csrf – Chiperific Oct 28 '20 at 13:29
0
  def handle_unverified_request
    reset_connection
    # validate only for html submit and not for ajax
    if request.post? && !request.xhr? && request.content_type != 'multipart/form-data'
      redirect_to controller: 'logout', action: 'index', is_invalid_token: true
    end
    return
  end

and then i have log out controller

if !params[:is_invalid_token].nil?
      flash[:notice] = "You dont have access with this."
      flash[:notice_header] = 'Forbidden Access'
    end

redirect_to :controller => 'login', :action => 'index'
Poor programmer
  • 121
  • 12
  • This is not an answer, it's part of the question. And it's not the code we need. Your client is getting CSRF errors on login. Let's see the login workflow. – Chiperific Oct 28 '20 at 12:18
  • Please either update the question or start a new question specific to your CSRF on login problem. – Chiperific Oct 28 '20 at 12:19