- attached crash-20140911-1834.log
Crash during presentation
During the presentation of the site for Balrådet, there was a crash when trying to submit the registration form.
The attached log-file from the event shows how the CSRF-token doesn't seem to be valid:
Can't verify CSRF token authenticity
This seems to be caused by the web browser caching the site even though it is not static. When trying to retrieve the site twice, the site is delivered with a 304 Not Modified
HTTP status. This behaviour is not expected as the server sends the following header:
$ curl -I http://desolate-headland-7399.herokuapp.com/anmalan
HTTP/1.1 200 OK
[...]
Cache-Control: max-age=0, private, must-revalidate
[...]
Comments (10)
-
reporter -
reporter After a comment from my GF about "all forms expire/crash after like 20 mins", I think I found the cause. The CSRF token is stored in the session storage, normally an encrypted cookie in the clients browser which doesn't really expire. But since rails was configured to use memcached as session storage, the expiration time is now 20 min. Further details tomorrow when I'm not on the phone in bed...
-
reporter The problem was probably introduced with 646a6b66 when session_store is set to use memcached, with a expritation time of 20 min. See config/initializers/session_store.rb line 4. Needs testing.
-
reporter Changed session storage back to cookie_store
The cache store timed out too early making the CSRF-token invalid. As the cookie store is encrypted, there should be no security implications for using it.
Refs
#43→ <<cset 158d1043970b>>
-
reporter -
assigned issue to
-
assigned issue to
-
Changed session storage back to cookie_store
The cache store timed out too early making the CSRF-token invalid. As the cookie store is encrypted, there should be no security implications for using it.
Refs
#43→ <<cset 53bcfb319d75>>
-
- changed status to resolved
-
reporter Changed session storage back to cookie_store
The cache store timed out too early making the CSRF-token invalid. As the cookie store is encrypted, there should be no security implications for using it.
Refs
#43→ <<cset ebd3fb2a0831>>
-
Changed session storage back to cookie_store
The cache store timed out too early making the CSRF-token invalid. As the cookie store is encrypted, there should be no security implications for using it.
Refs
#43→ <<cset 53bcfb319d75>>
-
reporter - removed milestone
Removing milestone: Beta av färdigt system (DL: 7/9) (automated comment)
- Log in to comment