ruby on rails - What does exception and null_session mean in protect_from_forgery -


i'm trying implement token based api , saw snippets google

however, it's hard understand meaning literal meaning.

any direction or basic knowledge this, ~~

class applicationcontroller < actioncontroller::base    protect_from_forgery with: :exception, if: proc.new { |c| c.request.format != 'application/json' }   protect_from_forgery with: :null_session, if: proc.new { |c| c.request.format == 'application/json' } end 

rails's document null_session here http://api.rubyonrails.org/classes/actioncontroller/requestforgeryprotection/protectionmethods/nullsession.html#method-i-handle_unverified_request, if check source code of it's handle_unverified_request method:

def handle_unverified_request   request = @controller.request   request.session = nullsessionhash.new(request.env)   request.env['action_dispatch.request.flash_hash'] = nil   request.env['rack.session.options'] = { skip: true }   request.env['action_dispatch.cookies'] = nullcookiejar.build(request) end 

that means if request dose't through verify_authenticity_token ,then rails not fetch session cookie data, create new session request. , session instance of nullsessionhash, "null_session".


Comments

Popular posts from this blog

java - nested exception is org.hibernate.exception.SQLGrammarException: could not extract ResultSet Hibernate+SpringMVC -

sql - Postgresql tables exists, but getting "relation does not exist" when querying -

asp.net mvc - breakpoint on javascript in CSHTML? -