Rails InvalidAuthenticityToken only in one case - ruby-on-rails

Experiencing a really strange problem with csrf tags, I can't pin down. Here is the strange behavior:
If I manually enter the address for a form page, http://localhost:port/form_page, everthing works fine.
If I submit the form and there are errors, I redirect back to the form_page with errors, and everything works fine.
BUT, if I click on a link I created on another page with href='http://localhost:port/form_page', and then submit the form, I get an InvalidAuthenticityToken.
If I click on the link as in 3, then refresh the page before submitting, the form submits fine.
Not sure what I can change, since the form and controller appear to be good and are the same used in every case, but only fails in 25% of the cases above.

Related

Ruby on Rails: Page Redirect Issue

I am having trouble with a page redirect issue in a small multi-step form process within a Rails application. Here's the rundown,
1.) There are 3 pages to this form with a, "save" and "next", button at the bottom of each page.
2.) If a user has filled out new information on the page, and attempts to click the next button, a warning modal popups and prompts the user to save their changes, or discard. This is where my issue is occurring.
3.) Instead of directing the user to the next page as they intended after pressing the modal save button, it instead just refreshes the same page the user is currently on.
I've tried everything, but honestly am not very experienced with Rails. I have made a collection on codepen for you to see all of the files.
Rails Files
Quick breakdown of the three files you will see.
1.) The saveModal is the popup that prompts for save or discard.
2.) Skills is just one of the 3 pages in the form. Any important info for you here would be at the top and bottom of the document I assume.
3.) The controller code where I think the redirect is happening is also there.

Rails, Logout on Back Button in Browser

Quick question here.
I'm creating a 3-step form for a user - all AJAX (and using Devise). The user is created on the first step, and updated on the second two steps.
Now, the issue is that if a user hits the back button in their browser to go back to the first step, the Devise automatically changes the form action to update. But, the my update action renders partials that should only be rendered in steps 2 and 3 via Ajax.
How can I make it so that the user is logged out when hitting the back button so that the first form is always a new_user form?
One solution is to disable back button in browser at all.
You can use a modal to implement the three steps. If you are using Ajax, use it at full.
By this, there is no "back" button on the browser. But you can still have "back" button on your modal window, in this case the back option is totally in your control.
Add
For usability you should allow users to update their info at any time, instead of forcing them to complete all right after signed up.
I don't know what your next two steps are. But you can
Setup the update method to render the next two steps if an user has not finished them, or render other info if finished.
Show a notice if an user is signed in but has not finished the two steps.
By these you should be able to ensure whatever the user do on their browser, he can see what he need to do next. These should be applicable to either Ajax or no Ajax.

JQuery Mobile Back Button Functionality

I think this must be a common scenario-- but I can't seem to find a solution.
JQueryMobile site with authentication functionality:
Link on all pages takes user to dynamically loaded authentication page
All pages have back button functionality
A bad username and password causes an ajax form submission
Clicking the back button in this scenario takes you back to the authentication page (which makes sense because that's where you came from-- but if I input a bad password five times, I have to click on the back button five times before I get back to where I came from)
I guess what I want is to have the ajax form submission for logging in taken out of the "hash" history.
One way to solve this would be by keeping track of the failed attempts numberOfAttempts++. Then using history.go(-numberOfAttempts); when the back button is clicked.

Problem with back button following a postback on Jquery Mobile

I'm having problems with JQM beta1 (the same thing happens with beta2) and ASP.NET MVC 3.
I have several pages with forms, and they post to the same address of the page, then with MVC RedirectToAction the next page is called.
Initially I had problems with the back button, which I solved by adding the attribute data-url to the page div.
But now I have this page that has a server-side validation, so posting back a page with the same data-url, when the server-side validation keeps the user on the same page, and then user hits the back button, the url on the browser is changed correctly but the page is not rendered again, it seems to remain the same, then if I hit the back button again I can see the correct page (2 steps behind page).
This should not be so problematic, since there should be many sites using forms with validation and needing the back button working properly.
Is there any special attribute that needs to be set on the page div when the post stays on the same page?
Thanks!

IE6's back button and repost

My website is an asp.net-mvc(beta1) website, fully validates and works in all browsers (except obviously in IE6 for this matter).
I can reproduce the error by doing the following:
Make a POST request with some parameters
From the results click one of the generated GET links
Pressing the "BACK" button from the resulted page.
Sometimes the back button does nothing (last request's page keeps on screen, status says "Done")
Sometimes a completely empty page is shown with the correct URL and the "Done" status
Sometimes the res://ieframe.dll/repost.htm page is shown with "Cannot find server" title.
I have yet to find the triggering factor..
I'm guessing IE is not caching anything there so it will re-post the url. Nothing seems to be hitting my controller though.
What is happening? How can I start to debug this or even better: fix this?
Implement POST+REDIRECT+GET?
IE won't re-post without prompting the user. If IE isn't caching the results page (check what cache headers you are sending it), you should get the repost prompt. I don't know why you'd get 'Server not found' instead - sounds like a confused IE installation. (Is it a multiple-IE setup?)
As cletus mentioned, post-redirect-get is generally desirable for successful post forms.
To analyze the traffic between browser and server you should put Fiddler in bewteen.
This way you'll find out if IE6 sends any request at all back to the server upon hitting the back button.

Resources