chevron_left
600 points
7 3 3

RoR is an open-source web development framework developed in Ruby simply called Rails is an OOP (Object Oriented Programming) language akin to Python and Perl.

The main distinction between Ruby on Rails and other development frameworks is the speed and simplicity with which developers may operate inside the environment. Changes to apps are implemented immediately, avoiding the time-consuming procedures involved with the web development cycle. The Ruby-based framework is five to ten times more efficient and faster than equivalent Java-based frameworks, according to David Geary, a Java specialist.

You're probably utilizing CSRF protection right now if you're using Rails. It's been around for almost as long as Rails itself, and it's one of those things that make your life simpler without you even realizing it.

Photo by Cesario11

Table of the Content:

                1 - Can’t verify csrf token authenticity (Explanation) 
                2 - The reason that will keep showing this message 
                3 - The Solution 
                4 - The Conclusion

Can’t verify csrf token authenticity (Explanation)

In a nutshell, Cross-Site Request Forgery (CSRF) is an attack that allows a malicious user to impersonate an authorized user and spoof valid requests to your server. Rails defend against such attacks by creating unique tokens and verifying their legitimacy with every request.

CSRF is made up of two parts. To begin, a unique token is placed in the HTML of your website. The session cookie also contains the same token. When a user submits a POST request, the CSRF token from the HTML is delivered along with it. To ensure that the tokens from the page and the session cookie match, Rails compares them.

The reason that will keep showing this message

It may occur due to several reasons like your browser was unable to establish or access a secure cookie to validate your login. This can be caused by ad-blocking or script-blocking plugins, but it can also be caused by the browser itself if cookies aren't permitted. Another reason for this error message is that the CSRF tokens aren't matched since the server receives two tokens, one from the website and the other from session cookies. If the two tokens do not match, an error message will be displayed.

The Solution

The Rails CSRF protection method is designed for web projects; it just ensures that the request came from your web app. Rails produce a random token and keep it in the session as a CSRF token, which only your server knows about. Rails ensure that each non-GET request includes a token that matches what is stored in the session by sending the token via a hidden input. CSRF can be disabled by adding this code to the Rails controller.

class ApiController < ActionController::Base
      protect_from_forgery with: :null_session
end

Another technique to disable CSRF without causing a null session is to add:

skip_before_action :verify_authenticity_token

Remember that XML or JSON queries are also impacted, and if you're developing an API, modify the forgery prevention method in ApplicationController (by default::exception):

class ApplicationController < ActionController::Base
      protect_from_forgery unless: -> { request.format.json? }
end

The Conclusion

Because, like so many other things in Rails, CSRF protection "simply works," I had never given it any attention. It's entertaining to look beyond the magic curtain and see what's going on now and again.

The implementation of CSRF protection, in my opinion, is a perfect example of a codebase's responsibilities being separated. The implementation underneath is free to change with little to no impact on the rest of the codebase by creating a single module and exposing a small, consistent public interface as the Rails team has introduced features to CSRF protection over the years, such as per-form tokens, you can see this in action.

If you read this far, tweet to the author to show them you care. Tweet a Thanks

More Posts

You Don't Have Write Permissions For the /library/ruby/gems/2.3.0 Directory Hussain Zafar - Jun 14
Invalid csrf token 'null' was found on the request parameter '_csrf' or header 'x-csrf-token'. NoirHusky - Sep 20
Syntaxerror: unexpected token 'export' NoirHusky - Sep 26
Bash: Syntax Error Near Unexpected Token `Newline' zhteja - Sep 17
id3242 the security token could not be authenticated or authorized sadmin - May 15
Unicodedecodeerror: 'utf-8' codec can't decode bytes in position 0-1: invalid continuation byte NoirHusky - Sep 11
Unicodedecodeerror: 'utf-8' codec can't decode byte 0xff in position 0: invalid start byte Ankur Ranpariya 1 - Aug 16
Can't connect to local MySQL server through socket '/tmp/mysql.sock' (2) zhteja - Aug 15
GPG can’t check signature no public key zhteja - Jul 16
Can't bind to 'ngif' since it isn't a known property of 'div' Hussain Zafar - Jun 9
The operation can’t be completed because you don’t have permission to access some of the items sadmin - May 28