request.session['_csrf_token'] 和元标记 csrf_token 不匹配

request.session['_csrf_token'] and meta tag csrf_token doesn't match

我在 Rails 4.2

中使用 websockets 与 Faye 实现了实时聊天

现在我可以使用 curl 向频道发布消息,例如:

curl http://localhost:3000/faye -d message={"channel":"/mychannel", "data": "my message"}'

为了防止这种情况,我遵循了指南 http://faye.jcoglan.com/security/csrf.html

但是客户端总是报401错误

[,…]
0: {id: "8l", channel: "/meta/handshake", error: "401::Access denied", successful: false, version: "1.0",…}
advice: {reconnect: "handshake"}
channel: "/meta/handshake"
error: "401::Access denied"
id: "8l"
successful: false
supportedConnectionTypes: ["long-polling", "cross-origin-long-polling", "callback-polling", "websocket", "eventsource",…]
version: "1.0"

我还在 CsrfProtection 扩展中调试令牌变量。他们总是不同的。

Started POST "/faye" for 127.0.0.1 at 2016-02-20 02:53:59 +0600
session_token: "nICoUB0sDiwmNqbRpr1kUM7LtyBybCiddThnZceU7UI="
message_token: "PO5gD5tPwVMZifrUCsk8xnJXUIRZkhOU/vQ+ujbmQAugbshfhmPPfz+/XAWsdFiWvJznpCv+OwmLzFnf8XKtSQ=="

它们为何不同以及如何实施 csrf 保护?

Rails 代码中的方法可能有帮助:token validation

思路:页面上有Base64编码的值,需要对其进行解码