Mandarin Soda

If you’re using anything other than fragment caching on pages with forms (and your fragment caching runs after your form blocks), then you’ll likely see Rails freakout on on the 2nd user that submits your cached form. The authenticity_token from the prior user has been cached and Rails is protecting you (I think). So, the moral is, don’t cache the auth_tokens (or find a clever way to workaround it).
Details and such on Rails 2.0 forgery protection.

Good presentation on Rails security

This entry was posted on Tuesday, January 29th, 2008 at 6:24 pm and is filed under Rails, Web Design, Web Development, miscellaneous. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.