Issues with ajax requests and user session

I’m using an exception notification plugin which sends me an email
whenever an exception is raised on the rails server. Regularly I’m
getting exception reports due to raising a PermissionDenied exception
when a user has no access or because rails complains about an invalid
authenticity token.

I can never reproduce these. And in 99% of the cases it works fine for
our users, but there’s a 1% for whom it apparently fails.

These exceptions are always due to an action triggered by an ajax
request.

The content of the exception report is always something like below.

The thing I find odd is that the HTTP_COOKIE indicates the user is
logged in, but the session section reports a session_id of nil. I.e.,
the code will see the user as logged out, and raise an access denied
exception.

In my log I can see that subsequent (non-Ajax) requests from the same
user do work fine.

I also notice that all exception reports are always from MSIE6.0 and
MSIE7.0 clients.

I’m using jQuery.

I was wondering if anyone else has seen issues like this. Is there a
known cause and/or workaround / solution?

Cheers,
Jimmy


Request:

  • URL : http://example.com/ajaxaction
  • IP address: 165.86.81.25
  • Parameters: {“format”=>“json”, “action”=>“ajaxaction”,
    “_method”=>“put”, “authenticity_token”=>“/y/
    G2RkIl8kQjgkc934aui8iEvJ1HeOfCY6EnB3/VQs=”, “controller”=>“posts”,
    “invitation_code”=>“4ba96ffdcb92dc054bbf5fb803099645cc1ce10d”}
  • Rails root: /var/www/production.example.com/releases/
    20090812034504

Session:

  • session id: nil
  • data: nil

Environment:

  • CONTENT_LENGTH : 83

  • CONTENT_TYPE : application/x-www-
    form-urlencoded

  • DOCUMENT_ROOT : /var/www/
    production.example.com/current/public

  • HTTP_ACCEPT : application/json,
    text/javascript, /, text/javascript

  • HTTP_ACCEPT_LANGUAGE : en-au

  • HTTP_CONNECTION : Keep-Alive

  • HTTP_CONTENT_TYPE : application/x-www-
    form-urlencoded

  • HTTP_COOKIE :
    __utma=136239534.4438442336996744000.1340901452.12403901452.1250110149.2;
    __utmb=133279534.11.30.1230110149;
    __utmz=136279534.1240901452.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=
    (none);
    _example_session=BAh7CjoPc2Vzc2lvbl9pZCIlMWQ3ZWIwYTJlYzRkNGI2OTk0MTVjYWE3NTRhZTJlNzA6EF9jc3JmX3Rva2VuIjEveS9HMlJrS3w4a1FqZ2tjOGk2YXVpOGlFdkoxSGVPZkNZNkVuQjMvVlFzPToMdXNlcl9pZGkCw2o6CHNzaSINLGxpYnJhcnkiCmZsYXNoSUM6J0FjdGlvbkNvbnRyb2xsZXI6OkZsYXNoOjpGbGFz3Ehhc2h7AAY6CkB1c2VkewA
    %3D–9a490353a0b021dead9cbd438fd97997eb22c70a; __utmc=136579534;
    __qca=1242135797-11579318-30372251; __qcb=496730851;
    __gads=ID=4b3d13fa4267a99d:T=1250110172:S=ALNI_MZjarEIGP8SctjtUWhuKtWFvl7Edg;
    auth_token=; __unam=7659673-12310665fd4-664da270-1

  • HTTP_HOST : example.com

  • HTTP_PRAGMA : no-cache

  • HTTP_REFERER : http://example.com/

  • HTTP_USER_AGENT : Mozilla/4.0
    (compatible; MSIE 6.0; Windows NT 5.1; SV1)

  • HTTP_VIA : 1.0 GWD-BK7-PXY01,
    1.1 GWD-BK7-PXY03

  • HTTP_X_NOVINET : v1.2

  • HTTP_X_REQUESTED_WITH : XMLHttpRequest

  • PATH_INFO : /ajaxaction

  • QUERY_STRING :

  • REMOTE_ADDR : 165.86.81.25

  • REMOTE_PORT : 41604

  • REQUEST_METHOD : PUT

  • REQUEST_URI : /ajaxaction

  • SCRIPT_NAME :

  • SERVER_ADDR : 100.22.88.200

  • SERVER_ADMIN :
    [email protected]

  • SERVER_NAME : example.com

  • SERVER_PORT : 80

  • SERVER_PROTOCOL : HTTP/1.1

  • SERVER_SOFTWARE : Apache/2.2.8
    (Ubuntu) mod_ssl/2.2.8 OpenSSL/0.9.8g Phusion_Passenger/2.2.3

  • _ : _

  • action_controller.request.path_parameters :
    formatjsonactionaccept_postscontroller4ba96ffdcb92dc054bbf5fb803099645cc1ce10d

  • action_controller.request.query_parameters :

  • action_controller.request.request_parameters: authenticity_token/y/
    G2RkIl8kQjgkc8i6aui8iEvJ1HeOfCY6EnB3/VQs=_methodput

  • action_controller.rescue.request :
    #ActionController::Request:0x7f1e3e134f80

  • action_controller.rescue.response :
    #ActionController::Response:0x7f1e3e130778

  • rack.errors : #IO:0x7f1e47c9cea0

  • rack.input :
    #Rack::RewindableInput:0x7f1e3e13ee40

  • rack.methodoverride.original_method : POST

  • rack.multiprocess : true

  • rack.multithread : false

  • rack.request.cookie_hash :
    __utma136279534.4458442336996744000.1240901452.1240901452.1250110149.2__utmb136279534.11.10.1250110149__utmc136279534__utmz136279534.1240901452.1.1.utmcsr=
    (direct)|utmccn=(direct)|utmcmd=(none)
    _example_sessionBAh7Czc2lvbl9pZCIlMWQ3ZWIwYTJlYzRkNGI2OTk0MTVjYWE3NTRhZTJlNzA6EF9jc3JmX3Rva2VuIjEveS9HMlJrSWw4a1FqZ2tjOGk2YXVpOGlFdkoxSGVPZkNZNkVuQjMvVNlcl9pZGkCw2o6CHNzaSINLGxpYnJhcnkiCmZsYXN6J0FjdGlvbkNvbnRyb2xsZXI6OkZsYXNoOjpGbGFzaEhhc2h7AAY6CkB1c2VkewA=–9a490353a0b021dead28fd97997eb22c70aauth_token__qca1245797-19318-302251__qcb4740851__gadsID=4b3d18f7a99d:T=1250110172:S=ALNI_MZjarEIGPtUWhuKtWFvl7Edg__unam7639673-123665fd4-665da270-1

  • rack.request.cookie_string :
    __utma=136279534.4458442336996744000.1240901452.1240901452.1250110149.2;
    __utmb=136279534.11.10.1250110149;
    __utmz=136279534.1240901452.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=
    (none);
    _example_session=BAh7CjoPc2Vzc2lvbl9pZCIlMWQ3ZWIwYTJ2OTk0MTVjYWE3NTRhZTJlNzA6EF9jc3JmX3Rva2VuIjEveS9HMlJrSWw4a1FqZ2tjOGk2YXVpOGlFdkoxSGVPZkNZNkVuQjMvVlFzPToMdXNlcl9pZGkCw2o6CHNzaSINLGxpYnJhcnkiCmZsYXNoSUM6J0FjdGlvbkNvbnRyb2xsZXI6OkZsYXNoOjpGbGFzaEhhc2h7AAY6CkB1c2VkewA
    %3D–9a490353a0b02fd97997eb22c70a; __utmc=13634;
    __qca=12421797-11318-372251; __qcb;
    __gads=ID=4b3d18fa4267a99d:T=1250110172:S=ALNI_MZjarEhuKtWFvl7Edg;
    auth_token=; __unam=7639673-12310665fd4-665da270-1

  • rack.request.form_hash : authenticity_token/y/
    G2RkIl8kQjgkc8J1HeOfCY6EnB3/VQs=_methodput

  • rack.request.form_input :
    #Rack::RewindableInput:0x7f1e3e13ee40

  • rack.request.form_vars :
    _method=put&authenticity_token=%2Fy%2FG2RkIl8kQjiEvJ1HeOfCY6EnB3%2FVQs
    %3D

  • rack.request.query_hash :

  • rack.request.query_string :

  • rack.run_once : false

  • rack.session :
    session_id1d7eb0a2ec4aa754ae2e70_csrf_token/y/
    G2RkIl8ui8iEvJ1HeOfCY6EnB3/VQs=user_id21

  • rack.session.options : path/
    expire_afterhttponlytruedomain.example.comid1d7eb0a2ec4d4b69a754ae2e70key_session_id

  • rack.url_scheme : http

  • rack.version : 10

  • Process: 20353

  • Server : exampleproduction

On Aug 13, 2:30 am, Jimmy [email protected] wrote:

request.

do you have a concurrent request problem ? when you get two
overlapping requests from a single user then changes by one of them to
the session will ‘beat’ changes by the other one.

Fred

I’ve seen these in production - but I’ve never been able to run down
the source. It’s always IE that’s causing them, though. I think there
may be some PC antivirus or “accelerator” that’s trying to prefetch
stuff but doing it wrong…

–Matt J.

This action is triggered by pressing a button which executes a piece
of javascript… the setup is done in a jquery document ready block of
code. It would highly surprise me if a prefetcher would trigger that
button.

As the action is triggered by a user action, I also don’t think this
should give a concurrent request problem. (the app runs in passenger
too, I was under the impression that within passenger you shouldn’t
run into any concurrency issues anyways?)

The source is indeed always an MSIE browser, which would suggest a
browser issue. However, seeing that the browser does send a correct
cookie with the session id in there, I wonder if for some reason the
rails server can’t match the session…

Jimmy