random ActionController::InvalidAuthenticityToken in my rails app

Question

There is random CSRF errors on my app with ActionController::InvalidAuthenticityToken. Like, one out of 100 requests or more. Why would those errors appears randomly like this?

I got them on some regular <%= form_with %> tag, some on javascript post (but it works most of the time because I add the meta[name='csrf-token'] as X-CSRF-TOKEN every time), some on devise/registrations#create, etc...

Why would it happen sometimes and not every time?

Regards

@DileepNandanam yes tls 1.2, everything is working fine most of the time for everybody, juste randomly sometimes it is not working. Maybe the token is invalidated somewhere. — Nicolas Maloeuvre, Jul 04 '19 at 09:02
see if you have proxy_set_header X-Forwarded-Proto $scheme; in location section. — dileep nandanam, Jul 04 '19 at 09:04
Do you experience yourself these errors, or do you see them in logs from real users ? — colinux, Jul 05 '19 at 07:41

score 3 · Answer 1 · answered Jul 05 '19 at 11:31

A CSRF token will expire when a Rails session expire (except for some configurations).

Here is a scenario raising this error :

If an user has a form displayed on a page, go away for a few dozen of minutes (depends of session duration), and comes back filling the form, the session (and token) may have expired. Then at submission Rails will raises InvalidAuthenticityToken error.

More about that here Rails CSRF Tokens - Do they expire?

Another scenario involves (bad) bots : a bot could submit the form without using the token.

random ActionController::InvalidAuthenticityToken in my rails app

1 Answers1

Here is a scenario raising this error :