Reputation: 625
CSRF token with multiple forms
I have two forms on a single page, both of which are declared like this:
form_for @student, {remote:true, format: 'json'} do |f|
and
form_for @teacher, {remote:true, format: 'json'} do |f|
However, when I click the submit button for the teacher form, it errors out, saying "Invalid CRSF token" for that request. The requests for the student form work fine.
I've got <%= csrf_meta_tags %> in the main application.html.erb file, and the teacher form does have a CSRF token in the submit. I'm not doing an API, I just want the form to be handled via AJAX (I do some client-side error handling and confirmation).
Upvotes: 5
Views: 1138
Answers (1)
Reputation: 9692
You'll need to disable CSRF protection for json requests, according to the Rails docs: http://api.rubyonrails.org/classes/ActionController/RequestForgeryProtection.html
It's important to remember that XML or JSON requests are also affected and if you're building an API you'll need something like:
class ApplicationController < ActionController::Base protect_from_forgery skip_before_action :verify_authenticity_token, if: :json_request? protected def json_request? request.format.json? end end
See also:
- https://github.com/rails/rails/issues/3041
- http://guides.rubyonrails.org/security.html#cross-site-request-forgery-csrf
Upvotes: 2
Related Questions
- Rails form with multiple submit actions has invalid auth token (CSRF error)
- Rails post can't verify CSRF token authenticity
- CSRF from JS library to Rails
- Loading CSRF token on rails with AJAX
- django: csrf_token for multiple forms and ajax requests on a single page
- Rails Ajax Can't verify CSRF token Authenticity
- Rails authenticity token (CSRF) provided but being refused
- Rails 4 Can't verify CSRF token authenticity
- Regenerate and Pull in new CSRF Token Through AJAX and Rails
- Rails and ajax request: not using csrf working?