[Facebooker-talk] form_tag and form_for cause #protect_from_forgery errors

Mike Mangino mmangino at elevatedrails.com
Tue Apr 8 21:06:08 EDT 2008 

If you generate an application with Rails 2.0, it will put the  
following section in environment.rb

  # Your secret key for verifying cookie session data integrity.
   # If you change this key, all old sessions will become invalid!
   # Make sure the secret is at least 30 characters and all random,
   # no regular words or you'll be exposed to dictionary attacks.

  config.action_controller.session = {
     :session_key => '_app_session',
     :secret      => 'longstring'
   }

just uncomment the secret and you should be good to go.

Mike

On Apr 8, 2008, at 7:21 PM, BJ Clark wrote:
> Hey All,
>
> I'm trying to do a simple form_for (and I also get it with form_tag)
> and I'm getting the following error:
>
> ActionView::TemplateError (No :secret given to the
> #protect_from_forgery call.  Set that or use a session store capable
> of generating its own keys (Cookie Session Store).) on line #2 of
> users/new.fbml.erb:
> 1: <h1>Welcome To Courses, Let's Get Started.</h1>
> 2: <% form_for :user, user_path, :method => :post do |form| %>
> 3: 	<fb:editor-custom label="You are a">
> 4: 		<label><%= radio_button_tag 'user_type', 'student', true %>
> Student</label>
> 5: 		<label><%= radio_button_tag 'user_type', 'instructor' %>  
> Teacher</
> label>
>
>     vendor/rails/actionpack/lib/action_controller/
> request_forgery_protection.rb:114:in `form_authenticity_token'
>     (eval):2:in `send'
>     (eval):2:in `form_authenticity_token'
>     vendor/rails/actionpack/lib/action_view/helpers/
> form_tag_helper.rb:453:in `token_tag'
>     vendor/rails/actionpack/lib/action_view/helpers/
> form_tag_helper.rb:430:in `extra_tags_for_form'
>     vendor/rails/actionpack/lib/action_view/helpers/
> form_tag_helper.rb:438:in `form_tag_html'
>     vendor/rails/actionpack/lib/action_view/helpers/
> form_tag_helper.rb:41:in `form_tag'
>     vendor/rails/actionpack/lib/action_view/helpers/form_helper.rb:
> 204:in `form_for'
>     app/views/users/new.fbml.erb:2:in
> `_run_erb_47app47views47users47new46fbml46erb'
>
>
> I've got this in my application.rb:
>   config.action_controller.session_store = :active_record_store
>   config.action_controller.session = {
>     :session_key => '_app_session',
>     :secret      => 'xxx'
>   }
>
>
> What's the trick for getting around this?
>
> Thanks,
> BJ Clark
>
> _______________________________________________
> Facebooker-talk mailing list
> Facebooker-talk at rubyforge.org
> http://rubyforge.org/mailman/listinfo/facebooker-talk

--
Mike Mangino
http://www.elevatedrails.com

More information about the Facebooker-talk mailing list