Forum: Ruby on Rails CSRF resets my session in Firefox

78c53c84c7af015c7ae9f5c43322c2cc?d=identicon&s=25 Jeff Miller (ibanez270dx)
on 2013-01-09 21:18
Hello all,
  I've been trying to diagnose an issue with CSRF and Firefox
specifically. I've got an ajax based form, using UJS (yes, I have
csrf_meta_tag in my layout and I've tried adding the X-CSRF-Token header
to the ajax beforeSend events without any luck)... The form just posts
some data to an ajax method that creates, saves, and sets the session
for a shopper as well as for a hit object, then returns some JSON. This
works in Chrome and Safari (haven't tested IE yet), but Firefox is a
no-go. Basically, the session gets reset by CSRF (I confirmed this by
setting config.action_controller.allow_forgery_protection to false and
it works), but the weird thing is that upon inspecting the session, I DO
have a hit_id, but no shopper_id!! This completely breaks my form and is
frustrating as hell :P

I'm running on Rails 3.2.11 and Ruby 1.9.3p327. Any and all help would
be appreciated!
5f94b9b346c2aa648a80bc259978e5bc?d=identicon&s=25 Colin Law (Guest)
on 2013-01-09 21:27
(Received via mailing list)
On 9 January 2013 20:18, Jeff Miller <lists@ruby-forum.com> wrote:
> it works), but the weird thing is that upon inspecting the session, I DO
> have a hit_id, but no shopper_id!! This completely breaks my form and is
> frustrating as hell :P
>
> I'm running on Rails 3.2.11 and Ruby 1.9.3p327. Any and all help would
> be appreciated!

I expect you have done this (or an equivalent) already, but just in
case, have you checked that the page contains valid html by pasting
the complete page html into the w3c html validator?

Colin
78c53c84c7af015c7ae9f5c43322c2cc?d=identicon&s=25 Jeff Miller (ibanez270dx)
on 2013-01-10 01:31
Thanks for the response. Yeah, it's validating fine. I have discovered
that the hit_id that I have in the session at the end is actually
incremented by one, like it completely recreated the session, just
without a shopper_id. Can't replicate in any other browser than
firefox... (on Mac)
19fad8b2f5f9948322c3fe0441265298?d=identicon&s=25 Jim ruther Nill (jimboker)
on 2013-01-10 02:17
(Received via mailing list)
On Thu, Jan 10, 2013 at 4:18 AM, Jeff Miller <lists@ruby-forum.com>
wrote:

> Hello all,
>   I've been trying to diagnose an issue with CSRF and Firefox
> specifically. I've got an ajax based form, using UJS (yes, I have
> csrf_meta_tag in my layout and I've tried adding the X-CSRF-Token header
> to the ajax beforeSend events without any luck)...


Instead of sending it as part of the header, have you tried sending it
as
part of the data?  I'm not sure if it will make any difference (it
should
not)
but it won't hurt to try.



> I'm running on Rails 3.2.11 and Ruby 1.9.3p327. Any and all help would
> rubyonrails-talk+unsubscribe@googlegroups.com.
> For more options, visit https://groups.google.com/groups/opt_out.
>
>
>


--
78c53c84c7af015c7ae9f5c43322c2cc?d=identicon&s=25 Jeff Miller (ibanez270dx)
on 2013-01-10 23:50
After a couple days of debugging, I found out it was race conditions and
totally unrelated to the CSRF... Turned out that CSRF was just a red
herring. When the page was kicked off, there were a few asynchronous
requests going on that was resetting the cookie. So for example, request
A gets kicked off (that sets the shopper_id stuff) and request B gets
kicked off at the same time (doesn't return the shopper_id), then
request A finishes and sets the cookie (which has the shopper_id), but
then request B comes back and overwrites that cookie thinking it was the
original cookie.

Very confusing and hard to track down, but my coworker and I managed to
figure it out.

Thanks all!
 - Jeff
Please log in before posting. Registration is free and takes only a minute.
Existing account

NEW: Do you have a Google/GoogleMail, Yahoo or Facebook account? No registration required!
Log in with Google account | Log in with Yahoo account | Log in with Facebook account
No account? Register here.