Bug: Rollbar 27 - Invalid Auth Token
dottorer opened this issue · comments
@dottorer Rails includes a so-called authenticity_token in every form; they are part of it's CSRF (cross-site request forgery) protection mechanism.
We get this error when the token has expired, which I assume happens when the session expires (30 minutes for lale). This could happen
- if the login form is opened but not submitted within the session expiry time
- if the browser serves a login page from it's cache which has been generated >= 30 minutes ago.
To investigate further, we could contact grohaj@t-online.de, (s)he had this problem yesterday at 12:40:20 am and should be able to remember the circumstances.
Reason 1) could be mitigated by longer session expiry time, reason 2) by disallowing the browser from caching the login form (easily done with HTTP headers).
On first glance, we should not cache the login form then. Makes no sense if this is causing the token failure.
Could this also have to do with token in email or is this different?
Ok, I added this for the sign in form and pushed to staging (just to test the sign in still works).
But while I was able to reproduce the InvalidAuthenticityToken exception when the session is expired, I can't say for sure this issue will never come up again. I'm just guessing the browser caching is the cause of the problem; also people may sometimes just leave their sign in form open for >= 30 minutes.
What's wrong with the tokens in emails?
There is the occasional report by users that clicking on the buttons in an email shows them an error screen. It last happened to Matze during a demo at LRA in July. It would be that this has to do with too many open browser sessions with varying users logged in, but I cannot say for sure. Overall, I will need to provide much more concise replication instructions if it re-occurs.
For now, Let's deploy this change and close it so we can see it go down in our prod system.
@dottorer I now handle this exception in the login form (no matter where it came from) and redisplay the login form along with a "please try again" message. That should be less scary than the previously unhandled exception (500 internal server error page).