Rails的简单形式给出了InvalidAuthenticityToken错误

Question

我有一个简单的形式是这样的：

<form name="serachForm" method="post" action="/home/search"> 
    <input type="text" name="searchText" size="15" value=""> 
    <input class="image" name="searchsubmit" value="Busca" src="/images/btn_go_search.gif" align="top" border="0" height="17" type="image" width="29"> 
</form> 

而且这种方法的控制器：

def busca 
    puts params[:searchText] 
    end 

当我这样做对图像按钮单击窗体我得到一个ActionController :: InvalidAuthenticityToken。下面是完整的堆栈跟踪：

/Library/Ruby/Gems/1.8/gems/actionpack-2.2.2/lib/action_controller/request_forgery_protection.rb:86:in verify_authenticity_token' /Library/Ruby/Gems/1.8/gems/activesupport-2.2.2/lib/active_support/callbacks.rb:178:in 发送” /库/红宝石/宝石/1.8/gems/activesupport-2.2.2/lib/active_support/callbacks.rb:178:in evaluate_method' /Library/Ruby/Gems/1.8/gems/activesupport-2.2.2/lib/active_support/callbacks.rb:166:in 调用' /Library/Ruby/Gems/1.8/gems/actionpack-2.2.2/lib/action_controller/filters。 RB：225：在 call' /Library/Ruby/Gems/1.8/gems/actionpack-2.2.2/lib/action_controller/filters.rb:629:in run_before_filters' /Library/Ruby/Gems/1.8/gems/actionpack-2.2.2/lib/action_controller/filters.rb:615:in call_filters' /Library/Ruby/Gems/1.8/gems/actionpack-2.2.2/lib/action_controller/filters.rb:610:in perform_action_without_benchmark” /Library/Ruby/Gems/1.8/gems/actionpack-2.2.2/lib/action_controller/benchmarking.rb:68:in perform_action_without_rescue' /Library/Ruby/Gems/1.8/gems/actionpack-2.2.2/lib/action_controller/benchmarking.rb:68:in perform_action_without_rescue' /Library/Ruby/Gems/1.8/gems/actionpack-2.2.2 /lib/action_controller/rescue.rb:136:in perform_action_without_caching' /Library/Ruby/Gems/1.8/gems/actionpack-2.2.2/lib/action_controller/caching/sql_cache.rb:13:in perform_action' /Library/Ruby/Gems/1.8/gems/activerecord-2.2.2/lib/active_record/connection_adapters/abstract/query_cache.rb:34:in cache' /Library/Ruby/Gems/1.8/gems/activerecord-2.2.2/lib/active_record/query_cache.rb:8:in cache' /Library/Ruby/Gems/1.8/gems/actionpack-2.2.2/lib/action_controller/caching/sql_cache.rb:12:in perform_action' /Library/Ruby/Gems/1.8/gems/actionpack-2.2.2/lib/action_controller/base.rb:524:in send' /Library/Ruby/Gems/1.8/gems/actionpack -2.2.2/lib/action_controller/base.rb：524：在 process_without_filters' /Library/Ruby/Gems/1.8/gems/actionpack-2.2.2/lib/action_controller/filters.rb:606:in process_without_session_management_support' /Library/Ruby/Gems/1.8/gems/actionpack-2.2.2/lib/action_controller/session_management.rb:134:in process' /Library/Ruby/Gems/1.8/gems/actionpack-2.2.2/lib/action_controller/base.rb:392:in process' /Library/Ruby/Gems/1.8/gems/rails-2.2.2 /lib/webrick_server.rb:74:in service' /Library/Ruby/Gems/1.8/gems/rails-2.2.2/lib/commands/servers/webrick.rb:66 /Library/Ruby/Gems/1.8/gems/activesupport-2.2.2/lib/active_support/dependencies.rb:153:in 需要 ' /Library/Ruby/Gems/1.8/gems/activesupport-2.2.2/lib/active_support/dependencies.rb:521:in new_constants_in' /Library/Ruby/Gems/1.8/gems/activesupport-2.2.2/lib/active_support/dependencies.rb:153:in 需要' /库/Ruby/Gems/1.8/gems/rails-2.2.2/lib/commands/server.rb:49

发生了什么事？

Answer 1

默认情况下，所有非GET操作要求的真实性令牌是随请求一起传递。 Rails使用真实性标记来避免CSRF攻击。

确保始终到位的最简单方法是使用form_tag帮助程序，而不是手动编写HTML。

<% form_tag "/home/search", :name => "searchForm" do %> 
    fields here 
<% end %> 

Answer 2

protect_from_forgery：只=> [：创建，：更新：摧毁]会为你节省一些麻烦:)（在控制器类）

Answer 3

如果不使用助手来生成表单标签，你这是怎么手动真实性令牌生成隐藏字段：

<input type="hidden" 
     value="<%= form_authenticity_token() %>" 
     name="authenticity_token"/> 

Answer 4

随着纳特的线条，增添

<%= token_tag %> 

的HTML“格式”标签的作品刚过

Answer 5

使用表单帮手，正如其他人建议以上编辑将工作。

虽然这是一个搜索表单，但该方法实际上应该是'get'。一般来说，除非数据库中的某些内容会发生变化，否则应该使用'get'。

对于搜索表单，使用method ='get'更具书签/后退按钮友好性。