I have a Rails application that I've upgraded from 3.0.7 to 3.2.6. I use Dalli and memcached for my session store.
Since I've upgraded, I've started getting WARNING: Can't verify CSRF token authenticity errors, and my sessions are being reset.
I call csrf_meta_tags in my header.
In my ApplicationController, I've overridden verify_authenticity_token in order to check out what the app thinks the csrf_token is.
def verify_authenticity_token
verified_request?
Rails.logger.info "+++ VERIFY AUTH TOKEN +++"
Rails.logger.info session.inspect
end
I submitted a form from my app, and the session data written to the logger was:
{"_csrf_token"=>"4OQ47F2py+l12lLSTnq0RTmyPbmPi2UGMZaPhMG6vVQ="}
This differs from the value set on the page in the meta tag and from the value submitted with the form:
{"authenticity_token"=>"qMsdBkTHoBH09+X0tnyoPsbtc752yKjCVHddrcufd7g="}
PROBLEM SOLVED
It turns out this was due to a configuration error.
I had been setting the session_store config in config/initializers/session_store.rb:
require 'action_dispatch/middleware/session/dalli_store'
Rails.application.config.session_store :dalli_store
This was initialized for all environments, however in the development environment, the default config for caching is config.perform_caching = false.
Deleting the initializer file and moving the session store config to the production.rb file fixed the issue for me.
config.session_store = :dalli_store, 'localhost:11211'
I'm just not sure why this wasn't an issue in 3.0.2, but is in 3.2.6.
