Module: ActionController::RequestForgeryProtection

Methods

form_authenticity_token
included
protect_against_forgery?
verifiable_request_format?
verified_request?
verify_authenticity_token

Classes and Modules

Module ActionController::RequestForgeryProtection::ClassMethods

Public Class methods

included(base)

    # File vendor/rails/actionpack/lib/action_controller/request_forgery_protection.rb, line 6
 6:     def self.included(base)
 7:       base.class_eval do
 8:         helper_method :form_authenticity_token
 9:         helper_method :protect_against_forgery?
10:       end
11:       base.extend(ClassMethods)
12:     end

Protected Instance methods

form_authenticity_token()

Sets the token value for the current session. Pass a :secret option in protect_from_forgery to add a custom salt to the hash.

[ show source ]

     # File vendor/rails/actionpack/lib/action_controller/request_forgery_protection.rb, line 100
100:       def form_authenticity_token
101:         session[:_csrf_token] ||= ActiveSupport::SecureRandom.base64(32)
102:       end

protect_against_forgery?()

[ show source ]

     # File vendor/rails/actionpack/lib/action_controller/request_forgery_protection.rb, line 104
104:       def protect_against_forgery?
105:         allow_forgery_protection && request_forgery_protection_token
106:       end

verifiable_request_format?()

[ show source ]

    # File vendor/rails/actionpack/lib/action_controller/request_forgery_protection.rb, line 94
94:       def verifiable_request_format?
95:         !request.content_type.nil? && request.content_type.verify_request?
96:       end

verified_request?()

Returns true or false if a request is verified. Checks:

is the format restricted? By default, only HTML and AJAX requests are checked.
is it a GET request? Gets should be safe and idempotent
Does the form_authenticity_token match the given token value from the params?

[ show source ]

    # File vendor/rails/actionpack/lib/action_controller/request_forgery_protection.rb, line 87
87:       def verified_request?
88:         !protect_against_forgery?     ||
89:           request.method == :get      ||
90:           !verifiable_request_format? ||
91:           form_authenticity_token == params[request_forgery_protection_token]
92:       end

verify_authenticity_token()

The actual before_filter that is used. Modify this to change how you handle unverified requests.

[ show source ]

    # File vendor/rails/actionpack/lib/action_controller/request_forgery_protection.rb, line 78
78:       def verify_authenticity_token
79:         verified_request? || raise(ActionController::InvalidAuthenticityToken)
80:       end