Question: Invalid Authenticity Token When Multiple Tabs Open

Question

Invalid Authenticity Token When Multiple Tabs Open

Answers 0
Added at 2017-01-04 16:01
Tags
Question

I have a Rails 4.2 application. Several months ago we started experiencing Invalid Authenticity Token errors. I've discovered that the following scenario reproduces the error:

1) User opens up browser and visit's ourwebsite.com/log-in.

2) User opens up second tab in the same browser and visits ourwebsite.com/enroll-in-course.

3) User goes back to tab one and logs in submitting a POST form.

4) User goes to tab two and submits a POST form on the enroll-in-course page.

5) Error appears.


Here's some general information about our app:

  • We are using Devise 3.4.1 with zero customization applied.

  • Our application controller runs protect_from_forgery with: :exception.

  • We use Turbolinks 2.5.

  • We are not caching either forms.

  • We run Turbolinks.pagesCached(0); in our Javascript on all pages.

  • To reiterate, both forms in the above scenario are POST forms. They work perfectly fine except in the above scenario.

  • From my knowledge, we have not made any changes in handling user sessions or CSRF tokens.

I have a theory that because we log in the user, the csrf_token stored in the session changes. Thus when the user submits a form in the second tab, the token from form will not match the token in the session and an InvalidAuthenticityToken is raised. What's wrong and how do I fix this? Better yet, is this even fixable?

Answers to

Invalid Authenticity Token When Multiple Tabs Open

Source Show
◀ Wstecz