ruby on rails - What does exception and null_session mean in protect_from_forgery -
i'm trying implement token based api , saw snippets google
however, it's hard understand meaning literal meaning.
any direction or basic knowledge this, ~~
class applicationcontroller < actioncontroller::base protect_from_forgery with: :exception, if: proc.new { |c| c.request.format != 'application/json' } protect_from_forgery with: :null_session, if: proc.new { |c| c.request.format == 'application/json' } end
rails's document null_session here http://api.rubyonrails.org/classes/actioncontroller/requestforgeryprotection/protectionmethods/nullsession.html#method-i-handle_unverified_request, if check source code of it's handle_unverified_request method:
def handle_unverified_request request = @controller.request request.session = nullsessionhash.new(request.env) request.env['action_dispatch.request.flash_hash'] = nil request.env['rack.session.options'] = { skip: true } request.env['action_dispatch.cookies'] = nullcookiejar.build(request) end
that means if request dose't through verify_authenticity_token ,then rails not fetch session cookie data, create new session request. , session instance of nullsessionhash, "null_session".
Comments
Post a Comment