CSRF Token Session Gets Reset

Question

CSRF Token Session Gets Reset

I am using Rails 3.2.3 along with active_record_store for my session.

I understand that the CSRF token in rails is stored in the session and should not be reset unless reset_session is called or for some reason the session is destroyed.

But in some places, when the remote form is loaded via ajax, it contains a different authentication token from the one specified in the META tag on this page. Therefore, you get an invalid token error and reset_session when submitting this form.

def form_authenticity_token session[:_csrf_token] ||= SecureRandom.base64(32) end

I cannot determine the value for a valid session, why is session [: _ csrf_token] destroyed and creates a new token?

+4

ruby-on-rails-3.2 csrf authenticity-token

Ravi Sep 7 '12 at 18:51

source share

1 answer

Ravi · Accepted Answer · 2012-11-21T01:45:10+0000

After a big hunt, finally figured out this problem. I stored model objects directly in the session, and even after using the active recording session store, which was limited in size to 65 KB, but the session was truncated after 4 KB, which caused the CRSF token to be erased and a new one was generated. Yes! Error ... Never store model objects in a session unless you have a good reason for this. In any case, still trying to understand why, even after having an active repository of recording sessions, I could not save a larger object in the session.

CSRF Token Session Gets Reset

More articles: