2

does any one know how the authenticity_token of rails3 is generated? I noticed that the value of the token of a form does not change when I refresh the form page. who is it generated? based on session cookie? on time? secret_key?

enenkey
  • 1,261
  • 3
  • 16
  • 27

2 Answers2

6

The AuthenticityToken is basically a call to ActiveSupport::SecureRandom.base64(32), which you can read about here http://api.rubyonrails.org/classes/ActiveSupport/SecureRandom.html

Edit - Updated to include more recent changes, as per Lambart's answer below.

In Rails >= 3.1, ActiveSupport::SecureRandom is deprecated in favor of SecureRandom from the Ruby standard library (starting with Ruby 1.9.3, it seems).

However it is generated, this token is stored in the session (i.e. it lasts for the lifetime of the session).

Thanks Lambart.

Community
  • 1
  • 1
Fareesh Vijayarangam
  • 5,037
  • 4
  • 23
  • 18
  • 1
    Can you explain why the token is not changing after page refresh (F5) ? Is it because I'm in dev environment? – enenkey Aug 06 '11 at 17:41
  • It is stored in the session, so it is not meant to change for the lifetime of the session, no matter what environment you're in. – Lambart Oct 24 '13 at 01:38
  • Moderators didn't like my edit to update and fix the broken link in Fareesh's otherwise-informative (but dated) answer, so I guess I'd better just write my own. – Lambart Oct 24 '13 at 17:55
0

In Rails < 3.09, the AuthenticityToken is generated by a call to ActiveSupport::SecureRandom.base64(32), which you can read about here.

In Rails >= 3.1, ActiveSupport::SecureRandom is deprecated in favor of SecureRandom from the Ruby standard library (starting with Ruby 1.9.3, it seems).

However it is generated, this token is stored in the session (i.e. it lasts for the lifetime of the session).

Lambart
  • 1,985
  • 2
  • 21
  • 37