Crash during presentation

Issue #43 resolved

Fredrik repo owner created an issue 2014-09-11

During the presentation of the site for Balrådet, there was a crash when trying to submit the registration form.

The attached log-file from the event shows how the CSRF-token doesn't seem to be valid: Can't verify CSRF token authenticity

This seems to be caused by the web browser caching the site even though it is not static. When trying to retrieve the site twice, the site is delivered with a 304 Not Modified HTTP status. This behaviour is not expected as the server sends the following header:

$ curl -I http://desolate-headland-7399.herokuapp.com/anmalan
HTTP/1.1 200 OK
[...]
Cache-Control: max-age=0, private, must-revalidate
[...]

crash-20140911-1834.log

Comments (10)

Fredrik reporter
- attached crash-20140911-1834.log
- 2014-09-11T19:16:26+00:00
Fredrik reporter
After a comment from my GF about "all forms expire/crash after like 20 mins", I think I found the cause. The CSRF token is stored in the session storage, normally an encrypted cookie in the clients browser which doesn't really expire. But since rails was configured to use memcached as session storage, the expiration time is now 20 min. Further details tomorrow when I'm not on the phone in bed...
- 2014-09-11T21:33:02+00:00
Fredrik reporter
The problem was probably introduced with 646a6b66 when session_store is set to use memcached, with a expritation time of 20 min. See config/initializers/session_store.rb line 4. Needs testing.
- 2014-09-12T08:06:52+00:00
Fredrik reporter
Changed session storage back to cookie_store

The cache store timed out too early making the CSRF-token invalid. As the cookie store is encrypted, there should be no security implications for using it.

Refs ~~#43~~

→ <<cset 158d1043970b>>
- 2014-09-12T10:22:47+00:00
Fredrik reporter
- assigned issue to
  
  Fredrik
- 2014-09-12T10:24:53+00:00
Martin Lindblom
Changed session storage back to cookie_store

The cache store timed out too early making the CSRF-token invalid. As the cookie store is encrypted, there should be no security implications for using it.

Refs ~~#43~~

→ <<cset 53bcfb319d75>>
- 2014-09-12T11:51:15+00:00
Martin Lindblom
- changed status to resolved
- 2014-09-12T11:58:05+00:00
Fredrik reporter
Changed session storage back to cookie_store

The cache store timed out too early making the CSRF-token invalid. As the cookie store is encrypted, there should be no security implications for using it.

Refs ~~#43~~

→ <<cset ebd3fb2a0831>>
- 2014-09-17T13:41:07+00:00
Martin Lindblom
Changed session storage back to cookie_store

The cache store timed out too early making the CSRF-token invalid. As the cookie store is encrypted, there should be no security implications for using it.

Refs ~~#43~~

→ <<cset 53bcfb319d75>>
- 2014-09-17T14:45:22+00:00
Fredrik reporter
- removed milestone
Removing milestone: Beta av färdigt system (DL: 7/9) (automated comment)
- 2014-10-06T16:40:15+00:00
Log in to comment

Assignee: Fredrik

Type: bug

Priority: blocker

Status: resolved

Votes: 0

Watchers: 2