Reasons for spontaneously authenticity token rejection on production site

I am with Dorian on this one as for the solution.

If you're looking to the cause I'm fairly positive that this issue report in rails github hits true, especially this little section:

# Browser quits, clearing session cookies
# Browser re-opens, reloads the page from cache without doing a request

This is especially true since by defualt Rails uses turbolinks which encourages caching (by default 10 pages if I recall).

Another way this can be potentially replicated is by having a user load your DOM (and thus your cookies / session) and then having them manually destroy their session or cookies through the browser management tools (e.g: chrome://settings). This should also reproduce the error since you will have the hidden tag for csrf in the form, but not the session cookie... and you need both.

ruby-on-rails csrf csrf-protection

You should probably null the session in your production environment instead of throwing an exception:

In you ApplicationController (or any controller you are concerned about) add:

protect_from_forgery with: :null_session

If you are really worried about it, my advice would be to log to error to Bugsnag for instance and there you will be able to review the request and understand why it happened.

CodeHunter

Reasons for spontaneously authenticity token rejection on production site

Recent Posts

How can I color dots in a xy scatterplot according to column value?

How to update a claim in ASP.NET Identity?

What does {0} mean when initializing an object?

Accessing members of items in a JSONArray with Java

How to log SQL statements in Spring Boot?

Powershell Get-WebSite name parameter is ignored

How to detect scroll to bottom of html element

Java synchronized method

How to test controllers with CodeIgniter?

Detect Visual Composer

Matplotlib: Specify format of floats for tick labels

Rails join a list of strings with commas and "and" before the last