After we update our RoR application and user has opened form and submits his form after code is updated our RoR application says Invalid Authenticity Token and than logs out user who submitted the form.
Is there any way how to solve this and update our code without logging out our users when they have submitted form after code is updated?
Related
I followed the Rails API quick start guide and I can create a user on auth0 or log in as an existing user and validate the web token, but I cant find next steps for creating a corresponding User model in rails.
Is there any guide that shows what callbacks or data is sent back when a user makes a request so I can associate a user in my database?
I have a view that displays list of users for a event and I have provided CRUD actions views for users view.
When superadmin tries to edit details of user, everything works fine.
but when user tries to use back button to return to its existing state, a Confirm Form Submission message displays.
And there's no error in rails console.
is there a way to solve this issue?
Confirm Form Submission Error
I have a Rails 4.2 application. Several months ago we started experiencing Invalid Authenticity Token errors. I've discovered that the following scenario reproduces the error:
1) User opens up browser and visit's ourwebsite.com/log-in.
2) User opens up second tab in the same browser and visits ourwebsite.com/enroll-in-course.
3) User goes back to tab one and logs in submitting a POST form.
4) User goes to tab two and submits a POST form on the enroll-in-course page.
5) Error appears.
Here's some general information about our app:
We are using Devise 3.4.1 with zero customization applied.
Our application controller runs protect_from_forgery with: :exception.
We use Turbolinks 2.5.
We are not caching either forms.
We run Turbolinks.pagesCached(0); in our Javascript on all pages.
To reiterate, both forms in the above scenario are POST forms. They work perfectly fine except in the above scenario.
From my knowledge, we have not made any changes in handling user sessions or CSRF tokens.
I have a theory that because we log in the user, the csrf_token stored in the session changes. Thus when the user submits a form in the second tab, the token from form will not match the token in the session and an InvalidAuthenticityToken is raised. What's wrong and how do I fix this? Better yet, is this even fixable?
I've been around the houses on this and I'm sure I'm approaching this the wrong way.
On my RoR site, users can enter details for a new post if they are logged out. But when they hit 'Create' I check if they are authenticated or not. If they are not, I ask the user to log in or create an account. Once logged in, I want the form to resubmit automatically with the original POST data. I'm using devise for authentication.
I have everything working, except retaining the original form POST data and avoiding a CSRF fail.
I think the CSRF fail is because the resubmitted data does not have the authenticity token - so I've turned off CSRF protection for now, until I fix the
POST data retention.
I can't store the data in the session as the form data includes an image and breaks the 4k session limit.
Please, is there a regular Rails pattern that solves this problem?
Thanks
Paul
It's simple: take authenticity token from new form (which you re-request after user logs in) and send it with the old request data.
I have a minor issue with SpringSecurity plugin in Grails application.
The user loads a form and lets the session expire.
After submiting the form, the user is redirected to login page.
After sucessfull login, the user is redirected back to the controller/action that handles the form submit, but the method is now GET instead of POST.
Is it possible to fix this behaviour without allowing the controller/action to be accessible via GET method?
Thanks in advance