My jquery AJAX POST requests works without sending an Authenticity Token (Rails)

Posted by dchua on Stack Overflow See other posts from Stack Overflow or by dchua
Published on 2010-06-17T06:52:48Z Indexed on 2010/06/17 7:03 UTC
Read the original article Hit count: 317

Filed under:
|
|
|
|

Hi all,

Is there any provisions in rails that would allow all AJAX POST requests from the site to pass without an authenticity_token?

I have a Jquery POST ajax call that calls a controller method, but I did not put any authenticity code in it and yet the call succeeds.

My ApplicationController does have 'request_forgery_protection' and I've changed

config.action_controller.consider_all_requests_local

to false in my environments/development.rb

I've also searched my code to ensure that I was not overloading ajaxSend to send out authenticity tokens.

Is there some mechanism in play that disables the check? Now I'm not sure if my CSRF protection is working or not.

I'm using Rails 2.3.5.

© Stack Overflow or respective owner

Related posts about jQuery

Related posts about ruby-on-rails