Authenticity_token sent, still InvalidAuthenticityToken

t_anjan · October 10, 2008, 2:29pm

Hi!

To send the authenticity token from flex back to the server, I followed
this:
http://blog.dt.org/index.php/2008/06/rails-2-flex-3-and-form-authenticity-tokens/

I have two controllers in my rails app. The method described in the link
above works with the actions in one controller, but does not work with
the other.

The controller which does not work has just one action which performs a
file upload. In this controller, if I don’t put “skip_before_filter
:verify_authenticity_token” at the top, the file upload doesn’t work. I
have pasted the upload action below:

def upload_image
directory = “public” + params[ :temp_Image_Location ].to_s
pRandomFileName = params[ :random_File_Name ].to_s
pFileData = params[ :Filedata ]

vFilePath = File.join( directory, pRandomFileName )

succeeded = File.open( vFilePath, "wb" ) { |vBuffer| vBuffer.write(

pFileData.read ) }

render(:xml => "<response>Finished!</response>") if succeeded

end

Why is it that the authenticity_token variable is being detected in one
controller and not the other? I’d be very grateful if someone could help
me out with this.

Thanks.
Anjan

t_anjan · October 10, 2008, 3:41pm

Authenticity token is checked for all POST requests (aka POST / PUT /
DELETE). If you’re doing just GET then the system doesn’t look for a
token.

An easier way to grab the auth token than what’s specified in the blog
post is to use ExternalInterface and a javascript function:

html:

Flash:

var authToken:String = ExternalInterface.call(“getAuthKey”);

Which then needs to be added to the .data field of an URLRequest you
process.

Hope that helps.

Jason

On Fri, Oct 10, 2008 at 8:29 AM, Anjan T.

t_anjan · October 10, 2008, 4:05pm

Hi!

I am using POST, not GET.

Thanks for the tip. I changed my code to use the external interface call
from flex. But the problem persists. Even with my previous code, there
wasn’t any problem in sending the authenticity token from flex to rails.
Rails is receiving the token, as shown in the log output.

Processing QuestionsController#insert (for 192.170.50.67 at 2008-10-10
19:39:21) [POST]
Session ID:
BAh7BzoMY3NyZl9pZCIlNjJiYjY0OTQ1NGQ3MWI1OWE5OWM2MTMzNzFjNzdj
NjQiCmZsYXNoSUM6J0FjdGlvbkNvbnRyb2xsZXI6OkZsYXNoOjpGbGFzaEhh
c2h7AAY6CkB1c2VkewA=–8e7dec53efd7dd4aaadd3c78e0b1d224e1cd55e7
Parameters: {“xml_Question”=>“Error”,
“authenticity_token”=>“26614e317154739eade694d4721873093f317384”,
“temp_Image_Location”=>“http://192.170.50.67:3000/images/temp”,
“action”=>“insert”, “uuid”=>“”, “controller”=>“questions”,
“images_To_Be_Moved”=>“”}
Completed in 0.00364 (274 reqs/sec) | Rendering: 0.00011 (2%) | DB:
0.00000 (0%) | 200 OK [http://192.170.50.67/questions/insert]

The above is the log output for the controller which works.

The following log output is for the image upload action.

Processing UploadController#upload_image (for 192.170.50.67 at
2008-10-10 19:39:48) [POST]
Session ID: 8ce910b4f637abc4a02844057c6ebc0b
Parameters: {“Filename”=>“France.gif”,
“authenticity_token”=>“26614e317154739eade694d4721873093f317384”,
“temp_Image_Location”=>“/images/temp”, “action”=>“upload_image”,
“Upload”=>“Submit Query”, “controller”=>“upload”,
“random_File_Name”=>“1223647783541_517.gif”,
“Filedata”=>#ActionController::UploadedStringIO:0x25ee6cc}

ActionController::InvalidAuthenticityToken
(ActionController::InvalidAuthenticityToken):
/Library/Ruby/Gems/1.8/gems/actionpack-2.1.0/lib/action_controller/request_forgery_protection.rb:86:in
`verify_authenticity_token’

As you can see, I’m using POST and the “authenticity_token” variable is
present. What worked for the first controller, is not working for the
second. I can’t figure out why.

Any insights?

Thanks.
Anjan

t_anjan · October 10, 2008, 4:23pm

Hmm, ok. The only other time I’ve seen this behaviour is when the
cookie for the site isn’t getting set, or is getting set with the
wrong domain. One quick test, could you compare the authenticity token
value as put in the HTML vs what gets passed in as a post parameter?

Jason

On Fri, Oct 10, 2008 at 10:05 AM, Anjan T.

t_anjan · October 14, 2008, 5:36pm

On 14 Oct 2008, at 16:13, Anjan T. wrote:

token into it and check if the POST value matches it?

One avenue to explore is that the authenticity token is based on the
session (either a value in it, or the session etc…) if the flex
stuff doesn’t use rails’ session cookie then you would get an invalid
authenticity token error.

Fred

t_anjan · October 14, 2008, 5:40pm

On Tue, Oct 14, 2008 at 11:25 AM, Frederick C.
[email protected] wrote:

So how would they differ?

Fred

What Fred said. Open up the HTML source in your browser and find the
authenticity token. Now open up the web server logs
(log/development.log most likely). Now do the post from Flex.

Compare the two values. They’re probably different for you and that’s
what’s throwing the error. The difference is because the auth token is
built from the session id, and if your session stuff is messed up
somehow, Rails will find a discrepency and error out.

Jason

t_anjan · October 14, 2008, 5:13pm

I don’t understand what you want me to do exactly. Isn’t the
authenticity token being sent from the HTML to Flex in the first place?
That same value is coming back from flex as a POST variable, right?

So how would they differ?

Do you want me to put a text field in the HTML and put the authenticity
token into it and check if the POST value matches it?

I’m confused.

t_anjan · October 15, 2008, 10:17am

On Oct 15, 8:30 am, Anjan T. [email protected]
wrote:

“Filedata”=>#ActionController::UploadedStringIO:0x2701294}

ActionController::InvalidAuthenticityToken
(ActionController::InvalidAuthenticityToken):

As you can see, both the values are the same. Still I’m getting the same
error.

But is the session id the same for the request for the page where you
click upload and for the upload request itself ?(and obviously when
the session id changes so does the authenticity token, so that hard
coded value in getAuthenticityToken will only get you so far.)

Fred

t_anjan · October 15, 2008, 9:30am

This is in my HTML source:

And this is what I get from the logs:

Processing UploadController#upload_image (for 192.170.50.67 at
2008-10-15 12:58:50) [POST]
Session ID: fbcd2a610aa9c048c82f1d5733f56837
Parameters: {“Filename”=>“Sunflower.gif”,
“temp_Image_Location”=>"/images/temp",
“authenticity_token”=>“86b74406048a7f629bd560eab8de771a74c620be”,
“action”=>“upload_image”, “Upload”=>“Submit Query”,
“controller”=>“upload”, “random_File_Name”=>“1224055727771_274.gif”,
“Filedata”=>#ActionController::UploadedStringIO:0x2701294}

ActionController::InvalidAuthenticityToken
(ActionController::InvalidAuthenticityToken):

As you can see, both the values are the same. Still I’m getting the same
error.

I repeat, the same code works for another controller. If what you are
suggesting was really the case, is it possible for just one controller
to be affected?

t_anjan · October 15, 2008, 12:53pm

Hi!

I think both of you have hit the nail on the head.

Just to avoid confusion, I placed all 3 of my methods in question into
the same controller (one working method, one method that does not work
and one method which renders the page that has the flex app in it).

Here is the log output when I load the rails app in my browser: (I’ve
set map.root to execute the “index” method.

Processing QuestionsController#index (for 192.170.50.67 at 2008-10-15
15:56:47) [GET]
Session ID: 594b5d72d93b07f9d6a272f301a3e0f7
Parameters: {“action”=>“index”, “controller”=>“questions”}
Rendering questions/index
Completed in 0.00188 (531 reqs/sec) | Rendering: 0.00042 (22%) | DB:
0.00000 (0%) | 200 OK [http://192.170.50.67/]

Processing QuestionsController#index (for 192.170.50.67 at 2008-10-15
15:56:47) [GET]
Session ID:
BAh7BzoMY3NyZl9pZCIlOTdiYWM0MDM0OGM0NmRmZDkzZWJiMDhhNzIwYjIy
ODQiCmZsYXNoSUM6J0FjdGlvbkNvbnRyb2xsZXI6OkZsYXNoOjpGbGFzaEhh
c2h7AAY6CkB1c2VkewA=–1a32065d2fd99849429fc9dec4dcb26ec4e3623a
Parameters: {“action”=>“index”, “controller”=>“questions”,
“debug”=>“true”}
Rendering questions/index
Completed in 0.00193 (517 reqs/sec) | Rendering: 0.00045 (23%) | DB:
0.00000 (0%) | 200 OK [http://192.170.50.67/?debug=true]

I’ve got no idea why it executes the same method twice, but it looks
like the second Session ID is what sticks.

Here is the log output when I call the “insert” method that works:

Processing QuestionsController#insert (for 192.170.50.67 at 2008-10-15
15:58:24) [POST]
Session ID:
BAh7BzoMY3NyZl9pZCIlOTdiYWM0MDM0OGM0NmRmZDkzZWJiMDhhNzIwYjIy
ODQiCmZsYXNoSUM6J0FjdGlvbkNvbnRyb2xsZXI6OkZsYXNoOjpGbGFzaEhh
c2h7AAY6CkB1c2VkewA=–1a32065d2fd99849429fc9dec4dcb26ec4e3623a
Parameters:
{“authenticity_token”=>“86b74406048a7f629bd560eab8de771a74c620be”,
“temp_Image_Location”=>“/images/temp”, “images_To_Be_Published”=>“”,
“action”=>“insert”, “uuid”=>“927EE8CA-C86B-DDEC-C444-000C98986267”,
“separator”=>“&&”, “controller”=>“questions”}
Completed in 0.00565 (176 reqs/sec) | Rendering: 0.00018 (3%) | DB:
0.00000 (0%) | 200 OK [http://192.170.50.67/questions/insert]

Notice that the Session ID is the same as the “index” method call.

Here is the log output when I call the “upload_image” method that DOES
NOT WORK:

Processing QuestionsController#upload_image (for 192.170.50.67 at
2008-10-15 15:57:33) [POST]
Session ID: 8e7a7ad93525bce8a253542d8812ea4a
Parameters: {“Filename”=>“Spiked.gif”,
“temp_Image_Location”=>“/images/temp”,
“authenticity_token”=>“86b74406048a7f629bd560eab8de771a74c620be”,
“action”=>“upload_image”, “Upload”=>“Submit Query”,
“controller”=>“questions”, “random_File_Name”=>“1224066450419_711.gif”,
“Filedata”=>#ActionController::UploadedStringIO:0x26d8600}

ActionController::InvalidAuthenticityToken
(ActionController::InvalidAuthenticityToken):

As both of you suspected, the Session ID is different just for this
method call.
And hence the authenticity token that I send is invalid.

If I call the “insert” method again after the “upload_image” method has
failed, the Session ID is correct again and it works.

But I don’t understand why the Session ID is suddenly different for one
particular method.

Any ideas?

Thanks for the help so far.

t_anjan · November 19, 2008, 4:49pm

Anjan T. wrote:

Any ideas, anyone?

It looks as if “Mister” had the same problem. Although he was using JSP,
i believe you get a good explanation of what is going on.

“Firefox apparently uses another instance of the browser window to
dispatch the uploaded file, this window does not have the session. I
searched for some possible answer and it seems you need to ask the
correction combination of questions to find the solution. The Flex
documentation seems to hint at part of the issue, but nothing direct
enough.”

t_anjan · November 19, 2008, 7:16pm

Thanks. I’ll look closer into that. But I was testing on Safari (Mac)
and not Firefox.

But lately, I’ve been having more problems with the authentication /
session ID stuff. More of my actions started giving me the same error. I
ended up just switching off the verification authenticity globally. It
seems to be such a pain to configure when you are not using plain
erb/rhtml web apps.

And surprisingly few people seem to know about these issues.

Thanks again. I just had quick scan over that post you linked to. I’ll
give it a closer look.

t_anjan · October 20, 2008, 10:26am

Any ideas, anyone?

t_anjan · November 20, 2008, 9:59am

On 19 Nov 2008, at 19:16, Anjan T. wrote:

And surprisingly few people seem to know about these issues.
Issues that can be overcome very easily (see below). It is a very bad
idea to disable the authenticity token, it was put in place to protect
your site from malicious attacks.

Thanks again. I just had quick scan over that post you linked to. I’ll
give it a closer look.

The solution is pretty simple to be honest:

In your view layout file, add this to the section:

 <script type="text/javascript" charset="utf-8">
     window._token = '<%= form_authenticity_token -%>';
 </script>

In application.js, add the following:

Ajax.Base.prototype.initialize = Ajax.Base.prototype.initialize.wrap(
function(p, options){
p(options);
this.options.parameters = this.options.parameters || {};
this.options.parameters.authenticity_token = window._token || ‘’;
}
);

It will automatically add the authenticity token to ALL ajax requests,
even those you invoke from custom code (graceful degrading and/or even
delegated events for example).

A similar solution for those swapping out Prototype with JQuery has
been posted at
http://henrik.nyh.se/2008/05/rails-authenticity-token-with-jquery

As for file uploaders, a normal field within a form (multipart=true)
will be sent as part of the form (and isn’t an ajax request in the
first place) and shouldn’t be a problem. If you are using ANY other
“ajax” uploader, there’s more to it. I already posted several times on
how to get SWFUpload to play nicely with Rails, an overview with links
to the appropriate posts can be found here:

http://groups.google.com/group/rubyonrails-talk/browse_thread/thread/45f70281a5992fa7

Best regards

Peter De Berdt

t_anjan · November 23, 2008, 10:34am

Hi!

Would your solution above work for Flex apps as well? I’m using no AJAX.
Just Flex and rails. Even the upload is done from within Flex.

As I’ve mentioned previously in the post, I am sending the authenticity
token along with all my requests to rails. But the problem is that the
authenticity token that is sent become invalid because of a changing
Session ID.

Thanks.

Anjan

t_anjan · November 23, 2008, 11:28am

On 23 Nov 2008, at 10:34, Anjan T. wrote:

Would your solution above work for Flex apps as well? I’m using no
AJAX.
Just Flex and rails. Even the upload is done from within Flex.

As I’ve mentioned previously in the post, I am sending the
authenticity
token along with all my requests to rails. But the problem is that the
authenticity token that is sent become invalid because of a changing
Session ID.

If you look at the post about getting SWFUpload up and running, you’ll
notice there’s a patch for the session handling in there that allows
you to pass the session data as normal post parameters instead of a
cookie and make Rails detect and use it. Flex being a Flash-based
frontend, you should be able to do the same. My guess is that
ActionScript will have a similar way of automatically adding that data
to each request. Maybe someone on this list has already integrated a
Flexbased app this way (I know there are some Flex developers on this
list), else you’ll have to ask on a Flex forum/mailing list.

Best regards

Peter De Berdt

t_anjan · April 10, 2009, 9:48am

Hi
I had the same problem. After some digging and http sniffing I found
this repo on github that solves the problem:

The workaround is to use a rack file to filter the request from flex:

require ‘rack/utils’

class FlashSessionCookieMiddleware
def initialize(app, session_key = ‘_session_id’)
@app = app
@session_key = session_key
end

def call(env)
if env[‘HTTP_USER_AGENT’] =~ /^(Adobe|Shockwave) Flash/
params = ::Rack::Utils.parse_query(env[‘QUERY_STRING’])
env[‘HTTP_COOKIE’] = [ @session_key, params[@session_key]
].join(‘=’).freeze unless params[@session_key].nil?
end
@app.call(env)
end
end

t_anjan · April 11, 2009, 4:41am

2009/4/10 Matteo P. [email protected]

def call(env)
if env[‘HTTP_USER_AGENT’] =~ /^(Adobe|Shockwave) Flash/
params = ::Rack::Utils.parse_query(env[‘QUERY_STRING’])
env[‘HTTP_COOKIE’] = [ @session_key, params[@session_key]
].join(‘=’).freeze unless params[@session_key].nil?
end
@app.call(env)
end

I want to find a way that detection flash client. But I cannot.
There isn’t “Flash” string in HTTP_USER_AGENT in Safari.
Someone said check HTTP_X_FLASH_VERSION.
These params appear when I have flash player installed. Also I don’t use
flash player visit rails.

So, I don’t know how to detection flash client now?