So I’ve had this application online for about 4 months now, and ever
since launch, I get random e-mails from ExceptionNotification about
authenticity token errors. In and of itself, that’s cool, but I’m
disturbed by the number I’ve received.
Long story short, I’ve gone through lots of output from Exception
Notification and found no pinpoint commonality. I’ve seen user agents
from IE 6 through FF 3.5. Some are on OS X, most on Windows, and most
have MS Office installed (signs thereof showing up in the output from
EN under user-agent).
So far, my only theory is that it has something to do with the way
Passenger is spawning the application. As I understand it, a request
comes into Apache, which shuttles it to Passenger, which then shuttles
it to one of X instances of the rails application (where X is unknown
to me), depending on which is lowest on traffic. In theory, if a
user’s initial request came in for one instance, this would trigger
the error if they somehow got shuttled to a different running instance
of passenger on their next request, because their authenticity token
was generated by another running instance of the application.
And yes, I’m 99.9% sure they’re real humans causing these, and not
bots or CSRF attacks (the vast majority anyway, I’m sure we’ve had a
few bots/hack attempts, but not nearly this many).
Does this theory hold water? If not, what else do you think could be
causing so many Authenticity Token errors?