# File lib/action_controller/request_forgery_protection.rb, line 98 def form_authenticity_param params[request_forgery_protection_token] end
Sets the token value for the current session. Pass a :secret option in protect_from_forgery to add a custom salt to the hash.
# File lib/action_controller/request_forgery_protection.rb, line 108 def form_authenticity_token session[:_csrf_token] ||= ActiveSupport::SecureRandom.base64(32) end
# File lib/action_controller/request_forgery_protection.rb, line 82 def handle_unverified_request reset_session end
# File lib/action_controller/request_forgery_protection.rb, line 112 def protect_against_forgery? allow_forgery_protection && request_forgery_protection_token end
# File lib/action_controller/request_forgery_protection.rb, line 102 def verifiable_request_format? !request.content_type.nil? && request.content_type.verify_request? end
Returns true or false if a request is verified. Checks:
is the format restricted? By default, only HTML requests are checked.
is it a GET request? Gets should be safe and idempotent
Does the form_authenticity_token match the given token value from the params?
# File lib/action_controller/request_forgery_protection.rb, line 91 def verified_request? !protect_against_forgery? || request.get? || form_authenticity_token == form_authenticity_param || form_authenticity_token == request.headers['X-CSRF-Token'] end
Generated with the Darkfish Rdoc Generator 2.