Hello all, I''ve been trying to diagnose an issue with CSRF and Firefox specifically. I''ve got an ajax based form, using UJS (yes, I have csrf_meta_tag in my layout and I''ve tried adding the X-CSRF-Token header to the ajax beforeSend events without any luck)... The form just posts some data to an ajax method that creates, saves, and sets the session for a shopper as well as for a hit object, then returns some JSON. This works in Chrome and Safari (haven''t tested IE yet), but Firefox is a no-go. Basically, the session gets reset by CSRF (I confirmed this by setting config.action_controller.allow_forgery_protection to false and it works), but the weird thing is that upon inspecting the session, I DO have a hit_id, but no shopper_id!! This completely breaks my form and is frustrating as hell :P I''m running on Rails 3.2.11 and Ruby 1.9.3p327. Any and all help would be appreciated! -- Posted via http://www.ruby-forum.com/. -- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk+unsubscribe-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org For more options, visit https://groups.google.com/groups/opt_out.
On 9 January 2013 20:18, Jeff Miller <lists-fsXkhYbjdPsEEoCn2XhGlw@public.gmane.org> wrote:> Hello all, > I''ve been trying to diagnose an issue with CSRF and Firefox > specifically. I''ve got an ajax based form, using UJS (yes, I have > csrf_meta_tag in my layout and I''ve tried adding the X-CSRF-Token header > to the ajax beforeSend events without any luck)... The form just posts > some data to an ajax method that creates, saves, and sets the session > for a shopper as well as for a hit object, then returns some JSON. This > works in Chrome and Safari (haven''t tested IE yet), but Firefox is a > no-go. Basically, the session gets reset by CSRF (I confirmed this by > setting config.action_controller.allow_forgery_protection to false and > it works), but the weird thing is that upon inspecting the session, I DO > have a hit_id, but no shopper_id!! This completely breaks my form and is > frustrating as hell :P > > I''m running on Rails 3.2.11 and Ruby 1.9.3p327. Any and all help would > be appreciated!I expect you have done this (or an equivalent) already, but just in case, have you checked that the page contains valid html by pasting the complete page html into the w3c html validator? Colin> > -- > Posted via http://www.ruby-forum.com/. > > -- > You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. > To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org > To unsubscribe from this group, send email to rubyonrails-talk+unsubscribe-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org > For more options, visit https://groups.google.com/groups/opt_out. > >-- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk+unsubscribe-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org For more options, visit https://groups.google.com/groups/opt_out.
Thanks for the response. Yeah, it''s validating fine. I have discovered that the hit_id that I have in the session at the end is actually incremented by one, like it completely recreated the session, just without a shopper_id. Can''t replicate in any other browser than firefox... (on Mac) -- Posted via http://www.ruby-forum.com/. -- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk+unsubscribe-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org For more options, visit https://groups.google.com/groups/opt_out.
On Thu, Jan 10, 2013 at 4:18 AM, Jeff Miller <lists-fsXkhYbjdPsEEoCn2XhGlw@public.gmane.org> wrote:> Hello all, > I''ve been trying to diagnose an issue with CSRF and Firefox > specifically. I''ve got an ajax based form, using UJS (yes, I have > csrf_meta_tag in my layout and I''ve tried adding the X-CSRF-Token header > to the ajax beforeSend events without any luck)...Instead of sending it as part of the header, have you tried sending it as part of the data? I''m not sure if it will make any difference (it should not) but it won''t hurt to try.> The form just posts > some data to an ajax method that creates, saves, and sets the session > for a shopper as well as for a hit object, then returns some JSON. This > works in Chrome and Safari (haven''t tested IE yet), but Firefox is a > no-go. Basically, the session gets reset by CSRF (I confirmed this by > setting config.action_controller.allow_forgery_protection to false and > it works), but the weird thing is that upon inspecting the session, I DO > have a hit_id, but no shopper_id!! This completely breaks my form and is > frustrating as hell :P > > I''m running on Rails 3.2.11 and Ruby 1.9.3p327. Any and all help would > be appreciated! > > -- > Posted via http://www.ruby-forum.com/. > > -- > You received this message because you are subscribed to the Google Groups > "Ruby on Rails: Talk" group. > To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org > To unsubscribe from this group, send email to > rubyonrails-talk+unsubscribe-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org > For more options, visit https://groups.google.com/groups/opt_out. > > >-- ------------------------------------------------------------- visit my blog at http://jimlabs.heroku.com -- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk+unsubscribe-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org For more options, visit https://groups.google.com/groups/opt_out.
After a couple days of debugging, I found out it was race conditions and totally unrelated to the CSRF... Turned out that CSRF was just a red herring. When the page was kicked off, there were a few asynchronous requests going on that was resetting the cookie. So for example, request A gets kicked off (that sets the shopper_id stuff) and request B gets kicked off at the same time (doesn''t return the shopper_id), then request A finishes and sets the cookie (which has the shopper_id), but then request B comes back and overwrites that cookie thinking it was the original cookie. Very confusing and hard to track down, but my coworker and I managed to figure it out. Thanks all! - Jeff -- Posted via http://www.ruby-forum.com/. -- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk+unsubscribe-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org For more options, visit https://groups.google.com/groups/opt_out.
Seemingly Similar Threads
- rspec-rails how to selectively turn on csrf protection for controller specs?
- Security problems with CookieStore and CSRF protection
- Rails 4: Should a HEAD request not be handled like a GET for CSRF protection?
- CSRF Protection Bypass in Ruby on Rails - I don't get it ...
- Page Caching, CSRF, and Loading a form via Ajax