我有以下代码:
class Foo < ActiveRecord::Base
protect_from_forgery
end
我的疑问是什么时候protect_from_forgery会被调用?什么时候创建 Foo 的实例?
提前致谢
问问题
89 次
1 回答
1
Someone with more knowledge than myself might know a better answer but here is how I understand it:
When the browser sends a post request, rails includes an additional authenticity token with the requests that corresponds to that users session. If I knew another users authenticity token, I could add an html element on the page that includes their token and submit requests posing as their user. This is called Cross Site Request Forgery. To protect your site from such attacks, rails includes a method called protect_from_forgery. This method should be placed at the top of your Application Controller so check each request for authenticity.
Further reading can be found on the Rails Guide to Security.
于 2014-01-22T23:14:14.170 回答