Fix cookies change when download swf files

trevorturk / flash_cookie_session

Rails 3 cookie sessions can cooperate with Flash

79 stars 16 forks source link

Fix cookies change when download swf files #18

Closed justqyx closed 10 years ago

justqyx commented 10 years ago

when the browser download the swf from our server

if env['HTTP_USER_AGENT'] =~ /^(Adobe|Shockwave) Flash/ or env['HTTP_REFERER'] =~ /.swf/
  # ...
end

this code will be executed, and then the cookie will be changed. So if the browser senf an ajax request, it will be fail with the error Can't verify CSRF token authenticity. And I have to sign in again!

So i think maybe it should only be

if env['HTTP_USER_AGENT'] =~ /^(Adobe|Shockwave) Flash/
  # ...
end

trevorturk commented 10 years ago

Left a comment on the commit that introduced this asking for clarification. I'd like a little more background about this, and you'll want to remove the commented-out line if we're going to merge this.

ethier commented 10 years ago

I'm not sure why the cookie is changing.

It's an or condition so I'm not sure why removing the swf check would cause this to fail. Are you sure you're sending your csrf token with the ajax request? Also, Chrome will not send the Adobe Flash user agent, just the browser agent so your change will break chrome.

trevorturk commented 10 years ago

Closing due to lack of feedback.