Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
Browse files

update doc about resetting the session in case of authenticity token …

…mismatch
  • Loading branch information...
commit 5fe67fa7a3c78b2dc7a3f311d1fa518cde52443a 1 parent 7744177
@vijaydev vijaydev authored
View
11 actionpack/lib/action_controller/metal/request_forgery_protection.rb
@@ -7,17 +7,16 @@ class InvalidAuthenticityToken < ActionControllerError #:nodoc:
# Controller actions are protected from Cross-Site Request Forgery (CSRF) attacks
# by including a token in the rendered html for your application. This token is
# stored as a random string in the session, to which an attacker does not have
- # access. When a request reaches your application, \Rails then verifies the received
- # token with the token in the session. Only HTML and javascript requests are checked,
+ # access. When a request reaches your application, \Rails verifies the received
+ # token with the token in the session. Only HTML and JavaScript requests are checked,
# so this will not protect your XML API (presumably you'll have a different
# authentication scheme there anyway). Also, GET requests are not protected as these
# should be idempotent.
#
# CSRF protection is turned on with the <tt>protect_from_forgery</tt> method,
- # which will check the token and raise an ActionController::InvalidAuthenticityToken
- # if it doesn't match what was expected. A call to this method is generated for new
- # \Rails applications by default. You can customize the error message by editing
- # public/422.html.
+ # which checks the token and resets the session if it doesn't match what was expected.
+ # A call to this method is generated for new \Rails applications by default.
+ # You can customize the error message by editing public/422.html.
#
# The token parameter is named <tt>authenticity_token</tt> by default. The name and
# value of this token must be added to every layout that renders forms by including
Please sign in to comment.
Something went wrong with that request. Please try again.