Reputation: 91
Where does rails store authenticity token
I am trying to figure out where authenticity tokens are being stored by rails4. On every request rails seems to generate a new token. But where are all of these tokens are stored exactly when using cookie store? I have looked through the session variable but could not find anything.
Upvotes: 1
Views: 1332
Answers (1)
Reputation: 91
I figured out how rails handles the storage and the validation of csrf tokens: I was looking for this http://apidock.com/rails/ActionController/RequestForgeryProtection. So the csrf token is stored in the session. Like I mentioned before, this token remains the same. But this token is used to generate the authenticity tokens which are shown on the forms (see http://apidock.com/rails/v4.2.1/ActionController/RequestForgeryProtection/masked_authenticity_token).
To validate the authenticity tokens there are the methods real_csrf_token and compare_with_real_token. So there is no need to store every single generated token like I thought in the first place.
Upvotes: 2
Related Questions
- Understanding the Rails Authenticity Token
- Rails 4 authenticity token - both in header and form hidden input?
- CSRF in Rails - Copying the authenticity token
- What happens to rails authenticity token after refresh and when it is created
- Where does Rails 4 store the authentication token for CSRF protection?
- Get authenticity_token from Rails
- rails 3 authenticity_token how it is generated
- Rails form_authenticity_token returns nothing session[:_csrf_token] returns the actual token
- Rails - Work Around Authenticity Token
- How do i remove the authenticity_token from rails forms