Module: ActionController::RequestForgeryProtection

Methods

form_authenticity_param
form_authenticity_token
included
protect_against_forgery?
verifiable_request_format?
verified_request?
verify_authenticity_token

Classes and Modules

Module ActionController::RequestForgeryProtection::ClassMethods

Public Class methods

included(base)

    # File actionpack/lib/action_controller/request_forgery_protection.rb, line 6
 6:     def self.included(base)
 7:       base.class_eval do
 8:         helper_method :form_authenticity_token
 9:         helper_method :protect_against_forgery?
10:       end
11:       base.extend(ClassMethods)
12:     end

Protected Instance methods

form_authenticity_param()

[ show source ]

    # File actionpack/lib/action_controller/request_forgery_protection.rb, line 95
95:       def form_authenticity_param
96:         params[request_forgery_protection_token]
97:       end

form_authenticity_token()

Sets the token value for the current session. Pass a :secret option in protect_from_forgery to add a custom salt to the hash.

[ show source ]

     # File actionpack/lib/action_controller/request_forgery_protection.rb, line 105
105:       def form_authenticity_token
106:         session[:_csrf_token] ||= ActiveSupport::SecureRandom.base64(32)
107:       end

protect_against_forgery?()

[ show source ]

     # File actionpack/lib/action_controller/request_forgery_protection.rb, line 109
109:       def protect_against_forgery?
110:         allow_forgery_protection && request_forgery_protection_token
111:       end

verifiable_request_format?()

[ show source ]

     # File actionpack/lib/action_controller/request_forgery_protection.rb, line 99
 99:       def verifiable_request_format?
100:         !request.content_type.nil? && request.content_type.verify_request?
101:       end

verified_request?()

Returns true or false if a request is verified. Checks:

is the format restricted? By default, only HTML requests are checked.
is it a GET request? Gets should be safe and idempotent
Does the form_authenticity_token match the given token value from the params?

[ show source ]

    # File actionpack/lib/action_controller/request_forgery_protection.rb, line 87
87:       def verified_request?
88:         !protect_against_forgery?     ||
89:           request.method == :get      ||
90:           request.xhr?                ||
91:           !verifiable_request_format? ||
92:           form_authenticity_token == form_authenticity_param
93:       end

verify_authenticity_token()

The actual before_filter that is used. Modify this to change how you handle unverified requests.

[ show source ]

    # File actionpack/lib/action_controller/request_forgery_protection.rb, line 78
78:       def verify_authenticity_token
79:         verified_request? || raise(ActionController::InvalidAuthenticityToken)
80:       end