1

We are encountering an issue with form submission in production environment. The criteria seems to be exceptionally rare, I have been unable to replicate the issue.

CSRF token is created and validated just fine.

Timing

Issue seems to occur only when users wait more than 2 hours on a form before submitting, but doing this we have been unable to reproduce as well. Logs

W, [2022-07-14T15:19:37.535241 #2433]  WARN -- : Can't verify CSRF token authenticity.
I, [2022-07-14T15:19:37.535556 #2433]  INFO -- : Completed 422 Unprocessable Entity in 1ms (ActiveRecord: 0.0ms | Allocations: 291)
F, [2022-07-14T15:19:37.536425 #2433] FATAL -- :   
ActionController::InvalidAuthenticityToken (ActionController::InvalidAuthenticityToken):

System configuration

Rails version 6.1.6 Ruby version 2.7.4

MBM_1607
  • 31
  • 1
  • 6
  • 1
    What do you mean by _"CSRF token is created and validated just fine"_? Do you mean it works in general or is the token that causes the error known to be valid at some point? – Stefan Jul 22 '22 at 09:14
  • Both of them actually. In this particular example, I had the user submit a log in request with this token, that succeeded and then later he submitted another form that caused invalid error. – MBM_1607 Jul 22 '22 at 09:17
  • 1
    This seems to be a similar problem: https://stackoverflow.com/q/7744459/477037 (_"users sit on the real-time page for a long time. Every now and then the user gets kicked out"_). Maybe your sessions / cookies expire? – Stefan Jul 22 '22 at 09:22

1 Answers1

0

check in your initializers for a session_store.rb

Inside if it you may find an expire_after is already set:

Rails.application.config.session_store :cookie_store,
                                       key: '_myapp_session_',
                                       expire_after: 30.minutes
Scott Milella
  • 468
  • 5
  • 10
  • That isn't it, There is no expiry set on the session_store. ```Rails.application.config.session_store :cookie_store, { key: 'my_app_session', domain: :all, same_site: :strict, secure: !Rails.env.development? }``` – MBM_1607 Aug 25 '22 at 09:30
  • 1
    Well if it's not coming from the cookie then I am confused. I would recommend you change your production logger to DEBUG so you can see all of the information such as the EXACT USER having the issue. It sounds like some kind of minor bug although it could also be a cache problem on the customers or users part too. I have had bad cache cause this before, is it just one customer or many you said userS so I assume more than one? – Scott Milella Aug 25 '22 at 23:05
  • 1
    This article goes into a deep dive, maybe it will trigger a thought on your app. https://medium.com/rubyinside/a-deep-dive-into-csrf-protection-in-rails-19fa0a42c0ef – Scott Milella Aug 25 '22 at 23:14