29

I've noticed that if you post with an invalid CSRF token, rails/devise automatically signs you out.

I have an application that doesn't refresh the page, and users sit on the real-time page for a long time. Every now and then the user gets kicked out. I'm wondering if the CSRF token is expiring, making it invalid.

Which is why I'm trying to learn, does Rails CSRF tokens expire? Is there a time setting somewhere?

Thanks

tadman
  • 208,517
  • 23
  • 234
  • 262
AnApprentice
  • 108,152
  • 195
  • 629
  • 1,012
  • Can you describe what the user is doing after being idle for awhile (HTTP POST of a status update, GETing new data, etc..) – Nick Oct 12 '11 at 18:09
  • May I ask you if you can answer this very similar question? https://stackoverflow.com/questions/50159847/single-page-application-and-csrf-token –  May 06 '18 at 19:46

1 Answers1

33

CSRF protection in Rails works by storing a random value as a field in the form being submitted, and also in the user session. If the values don't match when a form is submitted, Rails rejects the form submission request.

If you're using the default cookie session store in Rails, then sessions won't expire (until the cookie does). If you're using something else (file or DB backed sessions), then yes, if those sessions expire, the form submission will fail with a CSRF error.

So if you're using cookie based sessions (the default), check the cookie expiry. If that looks OK, it's probably some other issue.

madlep
  • 47,370
  • 7
  • 42
  • 53
  • You didn't mention the expiration time of the csrf cookie. Is it a session cookie? – Ethan Jul 05 '13 at 16:07
  • It is stored in the session, yes. It's only in the session cookie if you're not using an ActiveRecord-backed session. – Lambart Oct 25 '13 at 00:08
  • 1
    This answer really helped me grasp some concepts and resolve a bug we found. Thanks! Anyway I would really like to understand why the cookie is needed? If rails gives you an authenticiy_token and you submit the form back with that same token, why would the cookie be needed? I attempted to submit a form after clearing the cache and I got `ActionController::InvalidAuthenticityToken`. Does the token on the form get stored in the session and when the form get's submitted it sends both the cookie and form and it validates both tokens? Thanks. – Ryan-Neal Mes Oct 01 '15 at 15:57
  • 2
    @Ryan-NealMes A session cannot exist without a session cookie, so you need that to verify the authenticity token from the form against the one stored in the session. – Chris Peters Apr 05 '16 at 14:25
  • 2
    This is correct about sessions. The value that is stored in the session will not go away until the session does. It doesn't specifically answer about whether rails will continue to accept a given csrf token indefinitely. The answer to that is also yes, at least in Rails 4. There is no time component in either what is stored in the session or in the masked token that is rendered in the form. You might want to add that as well. – Patrick McGuire Dec 13 '16 at 15:53
  • May I ask you if you can answer this very similar question? https://stackoverflow.com/questions/50159847/single-page-application-and-csrf-token –  May 06 '18 at 19:44
  • 1
    But the cookie does expire eventually. What do you do when that happens? – Wylliam Judd Dec 21 '18 at 02:25