On Wednesday, July 26, 2017 at 3:24:19 PM UTC+1, Jason FB wrote: > > The exception we see is simply ActionController::InvalidAuthenticityToken on > normal logins to our website. Upon careful examination of the > authenticity_token sent by the form and the session's _csrf_token (we are > using active_record_store as our session_store setting), they just don't > match. Upon direct examination, I can conclude only that they are completely > different tokens, but I don't know why.
First off, it's normal for those values not to match on rails >= 4.2 ( because of csrf token masking), but that doesn't apply here One case I've seen is race conditions creating the session: if the browser requests 2 pages at roughly the same time, before the session has been set, then both of those responses will contain a different session cookie, and one of those pages will be using the wrong one. When using the cookie session store this race condition can also happen at the point that the csrf token is first set (I believe this won't happen until you first render a page with a form) Can you confirm from your logs whether that is a plausible explanation? Fred -- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To unsubscribe from this group and stop receiving emails from it, send an email to rubyonrails-talk+unsubscr...@googlegroups.com. To post to this group, send email to rubyonrails-talk@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/rubyonrails-talk/aa959aef-d190-4a70-9ff8-72c577e3c3e3%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
