
由网友(沉默√诠释一切)分享简介:我下面 http://railscasts.com/episodes/250-authentication-从划痕以简单的身份验证。它按预期工作。我在我的应用程序模型具有以下部分:I'm following http://railscasts.com/episodes/250-authentication-from-...

我下面 http://railscasts.com/episodes/250-authentication-从划痕以简单的身份验证。它按预期工作。我在我的应用程序模型具有以下部分

I'm following http://railscasts.com/episodes/250-authentication-from-scratch for simple authentication. It works as expected. I have a model in my app with the following partial :

<%= content_tag_for(:li, post) do %>
  <%= link_to 'Delete', post, :confirm => 'Are you sure?', :method => :delete, :remote => true %>
<% end %>

这就是所谓的在 index.html.erb 如下:

<%= render :partial => @posts.reverse %>

destroy.js.erb 如下所示,这就是所谓如果该对象被成功摧毁。

The destroy.js.erb is as follows, which is called if the object is successfully destroyed.

$('#<%= dom_id(@post) %>').css('background', 'red');
$('#<%= dom_id(@post) %>').hide();

在点击删除按钮,对象被删除正常,破坏.js.erb 正确渲染了。但不知何故,该用户将被注销。以下是code我的 posts_controller.rb

On clicking the delete button, the post object gets deleted properly and the destroy.js.erb is rendered correctly too. But somehow, the user is logged out. Following is the code for my posts_controller.rb :

  def destroy
    logger.error 'in destroy'
    @post = Job.find(params[:id])

    respond_to do |format|
      format.html { redirect_to(posts_url) }
      format.xml  { head :ok }


Any clues why this behavior?


And, if I remove the :remote => true from the delete link, then the user remains logged in. I have log statements in the destroy method for session that are never called in either case, but if ':remote=>true then the session is somehow screwed up. On checking the cookies, I found that the cookie is not destroyed but it does get modified when the destroy method on posts is called. Not sure why this has to happen.



Sounds like you are bumping into a rails security feature that is meant to protect against Cross Site Request Forgery. Adding :remote => true causes the request to be submitted via ajax without CSRF security tokens, so rails clobbers the session because it thinks it is a CSRF attack. To get around this you have a few options:


A quick and dirty (and insecure) solution is to turn off the security check for that request. To do this add this line to the top of your controller:

skip_before_filter:verify_authenticity_token,:只=&GT; [:摧毁]

一个更安全的解决方案是提交 CSRF 用AJAX调用令牌。我认为,如果你改变你的远程连接到 button_to 这将自动发生。了解更多这里。

A more secure solution is to submit the CSRF token with the AJAX call. I think this will happen automatically if you change your remote link to a button_to. Read more here.

&LT;%= button_to删除,后,:确认=&GT; 你确定吗?,:方法=&GT; :删除:远程=&GT;真%&GT;


You could also cookies to store the current_user rather than the session. The security implications of this will depend on the details of your app.