ActionController::RequestForgeryProtection - APIdock only
maintains one CSRF token at a time. When a user visits some site, he
gets a
new token in the session. He then might open a linked site of the same
rails app in a new browser tab (maybe some info he’d like to read), and
again he will get a new token. Then he changes to the first tab again
and
submits a form on that site (e.g. registration). Then he will get an
InvalidAuthenticityToken error, but it was a legal and common user
behavior
rather that request forgery.
Is there a way to store e.g. a map with POST URLs as keys and CSFR
tokens
as values?
Or storing a list of the last n CSFR tokens? The authentication
procedure
should then first check the newest token etc.
The invalid authenticity tokens are happening ~1x per day in average and
with all kinds of forms in my app. Could it be that the token was
outdated
because the page was in the browser cache of the user? If so, how do you
deal with that?
might
be overkill… How can we include this only for pages that include forms
with authenticity tokens?
In some situations a new session was created because the user was
logging
in/out. Could I copy the old CSRF-token into the new session, or would
there be any security leak?
In other cases the user was not logging in/out and didn’t get a new
session. Maybe the page was cached in the browser, so I added in my
layout now.