Random CSRF token authenticity errors - html

I am getting intermittent CSRF token authenticity errors. Specifically, it occasionally happens when I submit a regular form via POST. I can get pass this error if I just go to a few other random pages before submitting the form again. This error does not always come up, it just comes up occasionally. It leads me to think that maybe the csrf meta tags being generated are not always valid.
I have already included the following statement in the header of application.html.erb
<%= csrf_meta_tags %>
I also have the following in application_controller.rb
protect_from_forgery
Is there anything else I should be doing?

If you're using the Rails helpers form_tag or form_for to generate your 'regular forms', then you will see if you inspect the HTML that an extra div is generated under the form tag, which contains a hidden field for utf8 compliancy, and an authenticity_token.
If you're writing your own forms (with <form>...</form> or %form) then you will need to manually add the authenticity token.
There's another helper called form_authenticity_token that you can use thus:
<input name="authenticity_token" type="hidden" value="<%= form_authenticity_token %>">
But I'd recommend you use the Rails form tag helpers, and avoid adding you own authenticity token fields.

Related

antiforgery token in asp.net core razor pages?

I'm running into an issue I don't quite understand.
asp.net core 2.2.1 using razor pages, I'm having to manually generate the antiforgery token but all the documentation seems to claim that isn't necessary with razor pages.
Any insights as to what I'm doing wrong here?
If you remove the #Html.AntiForgeryToken() from the below form then the token isn't added. If this is what you're supposed to do that's great, I'm done, but every source I can find seems to think this isn't necessary.
<form method="post">
#Html.AntiForgeryToken()
<div>Source Type: <input asp-for="filter.SourceType" value="JsonEvent"/></div>
<div>Source Name: <input asp-for="filter.SourceName"/></div>
<input type="submit"/>
</form>
You absolutely do not need to use code like #Html.AntiForgeryToken() within your form element in order to generate an AntiForgeryToken when you are using ASP.NET Core Razor Pages. The token is generated and submitted automatically when you submit your form.
You can validate this idea by checking your Browser's development tool section. You can inspect the headers and you will see a Form Data "_RequestVerificationToken" as shown in this screenshot.
But, note that, your Ajax requests are different. For example, if you use jQuery Ajax method to post to any of your Razor page's Post handler, then you will need to generate the token explicitly and pass the header along with your request.
As per the Documentation, #Html.AntiForgeryToken() does not need to be added as the markup you used should be enough:
<form method="post">
...
</form>
I would check that the token isn't set at the bottom of the form as outlined in this article

how to add form to application.html.erb page ruby

I'm quite new to ruby and I'm trying to put the form to add a new post to the "application.html.erb" page.
Somehow I can't get it to work by just copying the code from the "app/views/things/_form.html.erb" page, and also I can't seem to get it to work by copying the code from the "app/views/things/new.html.erb" page.
If I do that I get the error:
First argument in form cannot contain nil or be empty
The error points towards:
<%= form_for(#thing) do |f| %>
This is a code that I find in the "app/views/things/_form.html.erb" page.
Can anybody point me in the right direction? To be honest, I don't even know where to start looking for the answer.
I think you should take a look at ruby on rails MVC model first, and also go through a basic tutorial. Just a quick review of you question:
application.html.erb is usually in the layout folder of rails,
it's job is to provide a root template/layout for the whole project if not specified.
usually you don't want to put any code that is not commonly
needed by all pages.
the reason it is giving you the error First argument in form cannot contain nil or be empty is because, the helper method form_for is expecting the controller to provide a #thing to the view file application.html.erb, in your case, it is obvious that #thing is not exist in your controller or your ApplicationController.
The #thing should be initialized in your controller. I suppose you've got a things_controller.rb that has a new action in it. In this action, controller should initialize #thing and therefore it is visible in app/views/things/new.html.erb.
You really shouldn't put forms in application.html.erb, but just to make the error disappear, you could do
<%= form_for(Thing.new) do |f| %>
(assuming you've got a Thing model in app/models/thing.rb).
This way you'll initialize an instance of Thing right in your application.html.erb view.

How to interface html form with rails

Recently I downloaded a html template hoping I might be able to use it with rails. But I am stuck at the form template itself. I know how to use form_for and simple_form_for. But I don't know how to make a nice UI so is using the template.
A part of the form is
<form class="form-signin" action="sessions_path" method="post">
But this gives error saying [GET] "/sessions_path" routes not found. Why is this happening?
But when I use form_tag instead of form the sessions_path works fine.
I googled this ,couldn't find any related posts.
It's because form tag can use the rails route, while in pure html you will not have access to it.
Check out http://api.rubyonrails.org/classes/ActionView/Helpers/FormTagHelper.html#method-i-form_tag to see what the form_tag function actually generates.
In your case it would should probably be:
<form class="form-signin" action="/sessions" method="post">

Rails 3, make submit call specific function in controller

new to web development, here. I have a form like this:
<form name="myForm" id="myForm" method="post" >
<select id="id" name="foo">
...some stuff
</select>
<input type="submit"/>
</form>
The submit button calls the 'index' method of my controller, as expected. I would like to make it call some other function, such as 'update', how do I do that? I need to do something with the #_params hash, but I don't want invoke the index function, to do it. Thanks.
You did not include the view logic so I am going to take a stab in the dark and guess you are writing the HTML for the form rather than using the RoR helpers.
In rails there are a set of helpers that help you generate forms and form items.
Please check the docs for form_for
Using form_for will follow the basic restful routing unless you modify the url parameter. So if you are on /new you will be routed to /create, if you are on /edit, you will be routed to /update. More precisely, if the object is new, you will submit to create, if the model exists you will submit to update.
If your form doesn't use a model, you can use the form_tag helper that takes a url parameter and you can pass a string specifying what path to submit to.
If you just need to know how to do this in plain HTML, read this. Essentially, you need to include an action attribute on form that specifies the path to the action you want to post to.

Run asp script and return to original page

I've been looking for a while but i haven't been able to do this. I'm submitting a form to a asp script but i want to know if it's possible to either just run the script from the original page or if it's possible to make it return to the original page.
Is there a simple solution to this problem?
Two ways immediately spring to mind:
1) Convert your form to an ASP page. If the form is just HTML/JavaScript, simply change the file name to filename.asp. Then in your form tags call the filename, e.g.
<form name="form1" action="filename.asp" method="post">
At the top of filename.asp (or better still, use an include file) insert your script:
<% if request.form.count > 0 then
...
end if %>
When the user submits the form they will see the original form but you can display feedback to the user or hide the form on submit.
2) Make sure your ASP script doesn't print anything to the page and at the end of the script add
response.redirect("original-page")