即使请求标头中包含正确的 x-csrf-token,也不要在 Ajax 帖子上设置 current_user
使用: 铁轨3.0.7 设计1.4.5 jquery-rails 1.0.14
通过 ajax 发布数据时,Devise 未设置 current_donor。
我的请求标头如下所示:
Host localhost:3000
User-Agent Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:6.0) Gecko/20100101 Firefox/6.0
Accept */*
Accept-Language en-us,en;q=0.5
Accept-Encoding gzip, deflate
Accept-Charset ISO-8859-1,utf-8;q=0.7,*;q=0.7
Connection keep-alive
Content-Type application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With XMLHttpRequest
x-csrf-token UFhqJrlOA1c1sAPeUTtV/ABcq5IeqkfA842ORcIWwks=
在关联的控制器操作中,查看会话值,我发现以下内容:
{"_csrf_token"=>"UFhqJrlOA1c1sAPeUTtV/ABcq5IeqkfA842ORcIWwks=", "warden.user.donor.key"=>["Donor", [485], "$2a$10$OtkItrzVhN4Ussnqy5k1Au"], "session_id"=>"e6693e22275385a58e0915538791ea49"}
这将向我表明 csrf_token 与预期值匹配。然而,current_donor 仍然为零。
我已经阅读了几篇关于此的文章,事实上,从一开始,csrf_meta_tag 方法并不在我的布局中,并且 csrf 令牌也没有被设置。
然而,情况不再是这样,csrf 令牌正在设置,但我仍然没有得到 current_donor 值。
当我发出 ajax get 请求时,current_donor 已正确设置。
如果您对我还应该去哪里寻找任何建议,我将不胜感激。
最好的, 汤姆
Using:
Rails 3.0.7
Devise 1.4.5
jquery-rails 1.0.14
When posting data via ajax, Devise is not setting current_donor.
My request header looks like this:
Host localhost:3000
User-Agent Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:6.0) Gecko/20100101 Firefox/6.0
Accept */*
Accept-Language en-us,en;q=0.5
Accept-Encoding gzip, deflate
Accept-Charset ISO-8859-1,utf-8;q=0.7,*;q=0.7
Connection keep-alive
Content-Type application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With XMLHttpRequest
x-csrf-token UFhqJrlOA1c1sAPeUTtV/ABcq5IeqkfA842ORcIWwks=
Within the associated controller action, looking at the session values, I find the following:
{"_csrf_token"=>"UFhqJrlOA1c1sAPeUTtV/ABcq5IeqkfA842ORcIWwks=", "warden.user.donor.key"=>["Donor", [485], "$2a$10$OtkItrzVhN4Ussnqy5k1Au"], "session_id"=>"e6693e22275385a58e0915538791ea49"}
This would indicate to me that the csrf_token matches the expected value. Yet, current_donor remains nil.
I have read through several of the posts on this, and indeed, at the outset, the csrf_meta_tag method was not in my layout, and the csrf token was not being set.
However, that is no longer the case, the csrf token is being set, and yet I am still getting no current_donor value.
When I make ajax get requests, current_donor is being set properly.
Any advice you have on where else I should look would be greatly appreciated.
Best,
Tom
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(2)
我以前也遇到过同样的问题。我通过包含 csrf_token 解决了这个问题,如下所示
I had the same problem before. I solved it by including csrf_token as below
我有类似的问题。我必须改变其他一些事情。我的 xhr 请求是使用 withCredentials 作为 true 发送的,并且我必须使用 Rack Cors,以允许具有特定来源的资源凭据(当凭据为 true 时这是强制性的)
然后,我的 xhr:
解释
我的应用程序将会话数据存储在DB,由 _session_id cookie 标识。我的应用程序跨子域共享 cookie,withCredentials = true,发送第一个请求设置的 cookie。
I'm having a similar issue. I had to change some other things. My xhr request was sent using withCredentials as true, and I had to use Rack Cors, to allow credentials for the resource, with a specific origin (that's mandatory when credentials: true)
Then, my xhr:
Explanation
My application stores session data, on the DB, which is identified by the _session_id cookie. My application shares cookies across subdomains, withCredentials = true, sends the cookies set by first request.