Reputation: 987
Rails csrf protection fails sometimes
I have a Rails 4 app with ajax calls and jquery-rails gem. And sometimes csrf protection fails for ajax calls.
I've never caught this problem myself, but some users have. One of them sent me screenshots and the source code of the page - there are no errors in JS console; csrf meta-tag presented on the page.
I really don't know what may causing this problem and how to debug it. Can you help me?
Upvotes: 2
Views: 573
Answers (1)
Reputation: 8257
A google query for X-CSRF-Token header chrome incognito returns some interesting results.
In particular, have a look at "I Saw An Extremely Subtle Bug Today And I Just Have To Tell Someone"
As @sevenseacat has pointed out, this is an old article regarding Rails 2 code, however the symptoms are very similar and I wonder if the underlying cause is the same - something is occasionally ending session which is invalidating the CSRF. Also, this problem may be an artifact of using Chrome in cognito mode.
In summary intermittent loss of session causes subtle CSRF bugs.
Upvotes: 1
Related Questions
- Sometimes can't verify CSRF token authenticity in regular web app
- Rails deployments resulting in spikes of "Can't verify CSRF token authenticity"
- Why is Rails giving me "Can't verify CSRF token authenticity" error?
- Persistent CSRF Token Rejection in Rails App
- Rails 4 Can't verify CSRF token authenticity
- rails protect_from_forgery raises with exception
- Rails 4 CSRF not correct
- Random CSRF token authenticity errors
- Rails 3 protect_from_forgery not working correctly?
- CSRF not working in Rails?