1. Fredrik Avatar Fredrik
  2. Untitled project
  3. balhemsida
  4. Issues

Crash during presentation

Issue #43 resolved
Fredrik repo owner created an issue

During the presentation of the site for Balrådet, there was a crash when trying to submit the registration form.

The attached log-file from the event shows how the CSRF-token doesn't seem to be valid: Can't verify CSRF token authenticity

This seems to be caused by the web browser caching the site even though it is not static. When trying to retrieve the site twice, the site is delivered with a 304 Not Modified HTTP status. This behaviour is not expected as the server sends the following header:

$ curl -I http://desolate-headland-7399.herokuapp.com/anmalan
HTTP/1.1 200 OK
[...]
Cache-Control: max-age=0, private, must-revalidate
[...]

Comments (10)

  2. Fredrik reporter

    After a comment from my GF about "all forms expire/crash after like 20 mins", I think I found the cause. The CSRF token is stored in the session storage, normally an encrypted cookie in the clients browser which doesn't really expire. But since rails was configured to use memcached as session storage, the expiration time is now 20 min. Further details tomorrow when I'm not on the phone in bed...

  4. Fredrik reporter

    Changed session storage back to cookie_store

    The cache store timed out too early making the CSRF-token invalid. As the cookie store is encrypted, there should be no security implications for using it.

    Refs #43

    → <<cset 158d1043970b>>

  6. Martin Lindblom

    Changed session storage back to cookie_store

    The cache store timed out too early making the CSRF-token invalid. As the cookie store is encrypted, there should be no security implications for using it.

    Refs #43

    → <<cset 53bcfb319d75>>

  8. Fredrik reporter

    Changed session storage back to cookie_store

    The cache store timed out too early making the CSRF-token invalid. As the cookie store is encrypted, there should be no security implications for using it.

    Refs #43

    → <<cset ebd3fb2a0831>>

  9. Martin Lindblom

    Changed session storage back to cookie_store

    The cache store timed out too early making the CSRF-token invalid. As the cookie store is encrypted, there should be no security implications for using it.

    Refs #43

    → <<cset 53bcfb319d75>>

  10. Fredrik reporter
    • removed milestone

    Removing milestone: Beta av färdigt system (DL: 7/9) (automated comment)

  11. Log in to comment
Assignee
Type
bug
Priority
blocker
Status
resolved
Votes
0
Watchers
2
Jira: the preferred issue tracker for Bitbucket. Join the team!