Question: How is it possible for a legitimate user to submit an invalid CSRF token in Rails?

Question

How is it possible for a legitimate user to submit an invalid CSRF token in Rails?

Answers 2
Added at 2017-01-05 11:01
Tags
Question

Our error logs occasionally contain legitimate form submissions that cause ActionController::InvalidAuthenticityToken errors.

My hypothesis is that the CSRF token stored in the user's session cookie has changed at some point after the form was loaded but before it was submitted. This causes a mismatch between the POSTed token and the token in the cookie, leading to this error.

Given that a Rails session cookie expires only when the browsing session ends (ie when the web browser is closed), what are the ways in which this cookie (and the CSRF token it includes) can be changed without closing the browser?

We are using cookies to store session data, which is Rails' default behaviour.

Answers
nr: #1 dodano: 2017-01-10 18:01

If closing browser is not an option. Then you got to log out the user. To achieve that place the following code in ApplicationController.

rescue_from ActionController::InvalidAuthenticityToken do |exception|

sign_out_user # Example method that will destroy the user cookies

end

P.S: Above is from http://guides.rubyonrails.org/security.html#cross-site-request-forgery-csrf so refer that for more information.

nr: #2 dodano: 2017-01-10 19:01

The user could have logged out and back in, but had a tab with a form open from the old session. That would send the old token.

Source Show
◀ Wstecz