0

A Rails 3.2.15 app on AngularJS I'm working on keeps losing sessions. I've narrowed the problem down to CSRF token authenticity failure. I'm not sure why, but I am ending up with two XSRF-TOKEN cookies being set; one for the root domain, and one for the www. domain (site.com and www.site.com).

The wrong XSRF-TOKEN header value is being sent back because of this.

Initially, I had custom code in application_controller.rb that was handling the setting and validation of the values. I was ending up with two cookies here.

I ripped out that code, and am using the gem 'angular_rails_csrf' which, despite it's name, doesn't actually do anything specific with angular save for setting the name of the cookie to XSRF-TOKEN. still, I am ending up with 2 distinct cookies with 2 distinct values.

The code that sets the cookie is:

def set_xsrf_token_cookie
    cookies['XSRF-TOKEN'] = form_authenticity_token if protect_against_forgery?
end

I've commented out that line and verified when doing so that NO XSRF-TOKEN cookie is set. I am assuming there's something obvious that I am missing.

Lastly, I added an after_filter in application_controller.rb and inspected the cookies object there -- I never observed a second XSRF-TOKEN there, and it seems like I am seeing this on the browser side and not the server.

note: Does happen locally if using a FQDN (local.mysite.com:3000)

Thanks in advance for any help.

Seth Webster
  • 121
  • 5
  • How about trying to comment out the call to this function 'set_xsrf_token_cookie' and see whether a cookie is set or not?... May be it's getting called somewhere else. – Ahmed Fathy Mar 01 '15 at 08:18
  • Yeah, I did that (mentioned above) and the cookie is not set. Thanks for responding. – Seth Webster Mar 01 '15 at 16:35
  • Possible duplicate of [Share session (cookies) between subdomains in Rails?](http://stackoverflow.com/questions/10402777/share-session-cookies-between-subdomains-in-rails) – Paul Sweatte Nov 22 '15 at 05:38

0 Answers0