Hi, http://apidock.com/rails/ActionController/RequestForgeryProtection only maintains one CSRF token at a time. When a user visits some site, he gets a new token in the session. He then might open a linked site of the same rails app in a new browser tab (maybe some info he''d like to read), and again he will get a new token. Then he changes to the first tab again and submits a form on that site (e.g. registration). Then he will get an InvalidAuthenticityToken error, but it was a legal and common user behavior rather that request forgery. - Is there a way to store e.g. a map with POST URLs as keys and CSFR tokens as values? - Or storing a list of the last n CSFR tokens? The authentication procedure should then first check the newest token etc. Luma -- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To unsubscribe from this group and stop receiving emails from it, send an email to rubyonrails-talk+unsubscribe-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org To view this discussion on the web visit https://groups.google.com/d/msg/rubyonrails-talk/-/RWB4vKLUURgJ. For more options, visit https://groups.google.com/groups/opt_out.
any comments? -- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To unsubscribe from this group and stop receiving emails from it, send an email to rubyonrails-talk+unsubscribe-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org To view this discussion on the web visit https://groups.google.com/d/msg/rubyonrails-talk/-/O3BkKTWG5IQJ. For more options, visit https://groups.google.com/groups/opt_out.
On Thursday, April 18, 2013 10:42:07 PM UTC+1, Martin Luy wrote:> any comments?Why would opening a new tab get you a different csrf token? Fred -- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To unsubscribe from this group and stop receiving emails from it, send an email to rubyonrails-talk+unsubscribe-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org To view this discussion on the web visit https://groups.google.com/d/msg/rubyonrails-talk/-/optk1mBeJd0J. For more options, visit https://groups.google.com/groups/opt_out.
On 19/04/13 16:25, Frederick Cheung wrote:> On Thursday, April 18, 2013 10:42:07 PM UTC+1, Martin Luy wrote: >> any comments? > Why would opening a new tab get you a different csrf token? > > Fred >Does the new tab re-request the page? -- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To unsubscribe from this group and stop receiving emails from it, send an email to rubyonrails-talk+unsubscribe-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org For more options, visit https://groups.google.com/groups/opt_out.
You''re right, sorry.. Am Freitag, 19. April 2013 09:25:39 UTC+2 schrieb Frederick Cheung:> > On Thursday, April 18, 2013 10:42:07 PM UTC+1, Martin Luy wrote: > > any comments? > > Why would opening a new tab get you a different csrf token? > > Fred > >-- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To unsubscribe from this group and stop receiving emails from it, send an email to rubyonrails-talk+unsubscribe-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org To view this discussion on the web visit https://groups.google.com/d/msg/rubyonrails-talk/-/zs-y_JezjhoJ. For more options, visit https://groups.google.com/groups/opt_out.
The invalid authenticity tokens are happening ~1x per day in average and with all kinds of forms in my app. Could it be that the token was outdated because the page was in the browser cache of the user? If so, how do you deal with that? <META HTTP-EQUIV="CACHE-CONTROL" CONTENT="NO-CACHE"> might be overkill... How can we include this only for pages that include forms with authenticity tokens? Martin -- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To unsubscribe from this group and stop receiving emails from it, send an email to rubyonrails-talk+unsubscribe-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org To view this discussion on the web visit https://groups.google.com/d/msgid/rubyonrails-talk/26ce81d6-fd57-4c9d-b30d-11708ebbf481%40googlegroups.com?hl=en-US. For more options, visit https://groups.google.com/groups/opt_out.
In some situations a new session was created because the user was logging in/out. Could I copy the old CSRF-token into the new session, or would there be any security leak? In other cases the user was not logging in/out and didn''t get a new session. Maybe the page was cached in the browser, so I added in my layout <META HTTP-EQUIV="CACHE-CONTROL" CONTENT="NO-CACHE"> now. -- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To unsubscribe from this group and stop receiving emails from it, send an email to rubyonrails-talk+unsubscribe-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org To view this discussion on the web visit https://groups.google.com/d/msgid/rubyonrails-talk/9aa259c5-bcb4-4ca7-88d3-5ed7623674df%40googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out.