升级到rails 2.2.2后,在用户登录时抛出以上错误,因为rails新版本对安全控制做了一些加强措施,只要在form中添加<%= token_tag %>即可,rails会添加一个token(在action中的form_authenticity_token方法生成这个token)在form中,随表单一起提交,可以适当的防止csrf攻击。
<input name="authenticity_token" type="hidden" value="d688e6bf60f43bd171504e059de1ba03f876d129" /> |
具体可参考ActionController::RequestForgeryProtection和config/environment.rb中的配置说明:
# Your secret key for verifying cookie session data integrity.# If you change this key, all old sessions will become invalid!# Make sure the secret is at least 30 characters and all random,# no regular words or you'll be exposed to dictionary attacks.config.action_controller.session = { :session_key => '_rails_session_key', :secret => '_rails_secret'} |