I’m using an exception notification plugin which sends me an email
whenever an exception is raised on the rails server. Regularly I’m
getting exception reports due to raising a PermissionDenied exception
when a user has no access or because rails complains about an invalid
authenticity token.
I can never reproduce these. And in 99% of the cases it works fine for
our users, but there’s a 1% for whom it apparently fails.
These exceptions are always due to an action triggered by an ajax
request.
The content of the exception report is always something like below.
The thing I find odd is that the HTTP_COOKIE indicates the user is
logged in, but the session section reports a session_id of nil. I.e.,
the code will see the user as logged out, and raise an access denied
exception.
In my log I can see that subsequent (non-Ajax) requests from the same
user do work fine.
I also notice that all exception reports are always from MSIE6.0 and
MSIE7.0 clients.
I’m using jQuery.
I was wondering if anyone else has seen issues like this. Is there a
known cause and/or workaround / solution?
Cheers,
Jimmy
Request:
- URL : http://example.com/ajaxaction
- IP address: 165.86.81.25
- Parameters: {“format”=>“json”, “action”=>“ajaxaction”,
“_method”=>“put”, “authenticity_token”=>“/y/
G2RkIl8kQjgkc934aui8iEvJ1HeOfCY6EnB3/VQs=”, “controller”=>“posts”,
“invitation_code”=>“4ba96ffdcb92dc054bbf5fb803099645cc1ce10d”} - Rails root: /var/www/production.example.com/releases/
20090812034504
Session:
- session id: nil
- data: nil
Environment:
-
CONTENT_LENGTH : 83
-
CONTENT_TYPE : application/x-www-
form-urlencoded -
DOCUMENT_ROOT : /var/www/
production.example.com/current/public -
HTTP_ACCEPT : application/json,
text/javascript, /, text/javascript -
HTTP_ACCEPT_LANGUAGE : en-au
-
HTTP_CONNECTION : Keep-Alive
-
HTTP_CONTENT_TYPE : application/x-www-
form-urlencoded -
HTTP_COOKIE :
__utma=136239534.4438442336996744000.1340901452.12403901452.1250110149.2;
__utmb=133279534.11.30.1230110149;
__utmz=136279534.1240901452.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=
(none);
_example_session=BAh7CjoPc2Vzc2lvbl9pZCIlMWQ3ZWIwYTJlYzRkNGI2OTk0MTVjYWE3NTRhZTJlNzA6EF9jc3JmX3Rva2VuIjEveS9HMlJrS3w4a1FqZ2tjOGk2YXVpOGlFdkoxSGVPZkNZNkVuQjMvVlFzPToMdXNlcl9pZGkCw2o6CHNzaSINLGxpYnJhcnkiCmZsYXNoSUM6J0FjdGlvbkNvbnRyb2xsZXI6OkZsYXNoOjpGbGFz3Ehhc2h7AAY6CkB1c2VkewA
%3D–9a490353a0b021dead9cbd438fd97997eb22c70a; __utmc=136579534;
__qca=1242135797-11579318-30372251; __qcb=496730851;
__gads=ID=4b3d13fa4267a99d:T=1250110172:S=ALNI_MZjarEIGP8SctjtUWhuKtWFvl7Edg;
auth_token=; __unam=7659673-12310665fd4-664da270-1 -
HTTP_HOST : example.com
-
HTTP_PRAGMA : no-cache
-
HTTP_REFERER : http://example.com/
-
HTTP_USER_AGENT : Mozilla/4.0
(compatible; MSIE 6.0; Windows NT 5.1; SV1) -
HTTP_VIA : 1.0 GWD-BK7-PXY01,
1.1 GWD-BK7-PXY03 -
HTTP_X_NOVINET : v1.2
-
HTTP_X_REQUESTED_WITH : XMLHttpRequest
-
PATH_INFO : /ajaxaction
-
QUERY_STRING :
-
REMOTE_ADDR : 165.86.81.25
-
REMOTE_PORT : 41604
-
REQUEST_METHOD : PUT
-
REQUEST_URI : /ajaxaction
-
SCRIPT_NAME :
-
SERVER_ADDR : 100.22.88.200
-
SERVER_ADMIN :
[email protected] -
SERVER_NAME : example.com
-
SERVER_PORT : 80
-
SERVER_PROTOCOL : HTTP/1.1
-
SERVER_SOFTWARE : Apache/2.2.8
(Ubuntu) mod_ssl/2.2.8 OpenSSL/0.9.8g Phusion_Passenger/2.2.3 -
_ : _
-
action_controller.request.path_parameters :
formatjsonactionaccept_postscontroller4ba96ffdcb92dc054bbf5fb803099645cc1ce10d -
action_controller.request.query_parameters :
-
action_controller.request.request_parameters: authenticity_token/y/
G2RkIl8kQjgkc8i6aui8iEvJ1HeOfCY6EnB3/VQs=_methodput -
action_controller.rescue.request :
#ActionController::Request:0x7f1e3e134f80 -
action_controller.rescue.response :
#ActionController::Response:0x7f1e3e130778 -
rack.errors : #IO:0x7f1e47c9cea0
-
rack.input :
#Rack::RewindableInput:0x7f1e3e13ee40 -
rack.methodoverride.original_method : POST
-
rack.multiprocess : true
-
rack.multithread : false
-
rack.request.cookie_hash :
__utma136279534.4458442336996744000.1240901452.1240901452.1250110149.2__utmb136279534.11.10.1250110149__utmc136279534__utmz136279534.1240901452.1.1.utmcsr=
(direct)|utmccn=(direct)|utmcmd=(none)
_example_sessionBAh7Czc2lvbl9pZCIlMWQ3ZWIwYTJlYzRkNGI2OTk0MTVjYWE3NTRhZTJlNzA6EF9jc3JmX3Rva2VuIjEveS9HMlJrSWw4a1FqZ2tjOGk2YXVpOGlFdkoxSGVPZkNZNkVuQjMvVNlcl9pZGkCw2o6CHNzaSINLGxpYnJhcnkiCmZsYXN6J0FjdGlvbkNvbnRyb2xsZXI6OkZsYXNoOjpGbGFzaEhhc2h7AAY6CkB1c2VkewA=–9a490353a0b021dead28fd97997eb22c70aauth_token__qca1245797-19318-302251__qcb4740851__gadsID=4b3d18f7a99d:T=1250110172:S=ALNI_MZjarEIGPtUWhuKtWFvl7Edg__unam7639673-123665fd4-665da270-1 -
rack.request.cookie_string :
__utma=136279534.4458442336996744000.1240901452.1240901452.1250110149.2;
__utmb=136279534.11.10.1250110149;
__utmz=136279534.1240901452.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=
(none);
_example_session=BAh7CjoPc2Vzc2lvbl9pZCIlMWQ3ZWIwYTJ2OTk0MTVjYWE3NTRhZTJlNzA6EF9jc3JmX3Rva2VuIjEveS9HMlJrSWw4a1FqZ2tjOGk2YXVpOGlFdkoxSGVPZkNZNkVuQjMvVlFzPToMdXNlcl9pZGkCw2o6CHNzaSINLGxpYnJhcnkiCmZsYXNoSUM6J0FjdGlvbkNvbnRyb2xsZXI6OkZsYXNoOjpGbGFzaEhhc2h7AAY6CkB1c2VkewA
%3D–9a490353a0b02fd97997eb22c70a; __utmc=13634;
__qca=12421797-11318-372251; __qcb;
__gads=ID=4b3d18fa4267a99d:T=1250110172:S=ALNI_MZjarEhuKtWFvl7Edg;
auth_token=; __unam=7639673-12310665fd4-665da270-1 -
rack.request.form_hash : authenticity_token/y/
G2RkIl8kQjgkc8J1HeOfCY6EnB3/VQs=_methodput -
rack.request.form_input :
#Rack::RewindableInput:0x7f1e3e13ee40 -
rack.request.form_vars :
_method=put&authenticity_token=%2Fy%2FG2RkIl8kQjiEvJ1HeOfCY6EnB3%2FVQs
%3D -
rack.request.query_hash :
-
rack.request.query_string :
-
rack.run_once : false
-
rack.session :
session_id1d7eb0a2ec4aa754ae2e70_csrf_token/y/
G2RkIl8ui8iEvJ1HeOfCY6EnB3/VQs=user_id21 -
rack.session.options : path/
expire_afterhttponlytruedomain.example.comid1d7eb0a2ec4d4b69a754ae2e70key_session_id -
rack.url_scheme : http
-
rack.version : 10
-
Process: 20353
-
Server : exampleproduction