I get random ActionController::InvalidAuthenticityToken errors on my production server. There are no AJAX requests, all forms are created with Rails helpers (so they do include hidden field with authenticity_token).
The problem appears randomly on random forms.
In my ApplicationController I have before_action :expires_now. Could that be a problem? I added this because my users often click 'back' in their browsers and I didn't want them having cached results.
My session_store.rb initializer looks like this:
Rails.application.config.session_store :cookie_store, key: '_myapp_session'
If that makes any difference I use Devise with timeoutable module and its config.timeout_in set to 1.hour.
I'm using Rails 5.0.1.
application_controller.rb:
class ApplicationController < ActionController::Base
include Pundit
rescue_from Pundit::NotAuthorizedError, with: :not_authorized
protect_from_forgery with: :exception
add_flash_types :success, :warning, :danger, :info
before_action :authenticate_user!
before_action :set_current_user
before_action :set_cache_headers
def after_sign_out_path_for(_user)
tasks_path
end
def not_authorized
flash[:warning] = 'You are not authorized to execute this action.'
redirect_to tasks_path
end
private
def set_current_user
User.current = current_user
end
def set_cache_headers
response.headers['Cache-Control'] = 'no-cache, no-store'
response.headers['Pragma'] = 'no-cache'
response.headers['Expires'] = 'Fri, 01 Jan 1990 00:00:00 GMT'
end
end
