Investigate Rollbar Error 27 - InvalidAuthenticityToken

Question

Investigate Rollbar Error 27 - InvalidAuthenticityToken

dottorer opened this issue 7 years ago · comments

https://rollbar.com/lale-help/lale-help/items/27/

Christian Meier · Answer 1 · Thu Mar 16 2017 18:28:52 GMT+0800 (China Standard Time)

the AuthenticityToken is used to mitigate against CSRF attacks or session riding attacks. technically rails always has a session which is for example used to transport flash messages across requests. this does not mean there is an 'user-session'. it is safe to not check the AuthenticityToken for pages like:

https://app.lale.help/reset_password
https://app.lale.help/login
https://app.lale.help/join/XXX

as they are public pages and any attacker could just use those pages directly (IMO), i.e. just check AuthenticityToken when there is a current_user.

this would remove the bigger portion of the InvalidAuthenticityToken errors.

the remaining incidences:
https://app.lale.help/circles/12/members/215/activate
https://app.lale.help/circles/8/tasks/499/comments
https://app.lale.help/circles/21/tasks/401/decline
are still unclear how this can happen - still investigating.