I am trying to understand when an anti-fake ring marker is generated or inserted into an HTML page. I use Compojure / ring / hiccup, but I think my question is really about the ring. I have no problem as such: I just want to know when and how the anti-fake token is injected.
The function anti-forgery-fieldof is ring.util.anti-forgeryimplemented as follows:
(html (hidden-field "__anti-forgery-token" *anti-forgery-token*)
If I call this function in REPL, I get:
REPL> (println (anti-forgery-field))
<input id="__anti-forgery-token" name="__anti-forgery-token" type="hidden" value="Unbound: #'ring.middleware.anti-forgery/*anti-forgery-token*" />
Still on REPL, if I try to get this var, I get the same βunboundβ variable:
> ring.middleware.anti-forgery/*anti-forgery-token*
=>
What I do not understand is what is the meaning of "Unbound" and when it is transformed (by a ring?) Into the actual supplied token. And I especially donβt understand how several users connecting to the website receive, each, a different token (per session).
Is this variable always βunboundβ? When / how is he βattachedβ (if he does?)?
Also, if I have a call session identifier (say, "ring-session = 310678be-9ef6-41a7-a12a-b2417de4a79f"), as I can see, on Clojure REPL (server side), the corresponding anti-fake token value is ?
source
share