[英]InvalidAuthenticityToken after Devise login/logout in another tab
I have some problems with the InvalidAuthenticityToken exception when changing user authentication state in different tabs. 在其他选项卡中更改用户身份验证状态时,InvalidAuthenticityToken异常有一些问题。
My app is quite simple. 我的应用程序很简单。 In fact, just a basic learning app for my studies.
实际上,这只是我学习的基本学习应用程序。 https://github.com/antonkoh/railsrep/tree/master/lesson17/my_app
https://github.com/antonkoh/railsrep/tree/master/lesson17/my_app
It uses Devise gem for authentication: 它使用Devise gem进行身份验证:
<%= link_to "Sign out", destroy_user_session_path, method: :delete %>
<%= link_to "Sign in", new_user_session_path %>
protect_from_forgery is set to :exception as it is a browser app, nothing API related yet. protected_from_forgery设置为:exception,因为它是浏览器应用程序,与API无关。
I do have <%= csrf_meta_tags %> specified in my layout. 我的布局中确实指定了<%= csrf_meta_tags%>。
The problem is reproduced in many different ways. 该问题以许多不同的方式重现。 Just a couple general examples:
只是几个一般的例子:
or 要么
I have introduced my own means to make sure that certain actions are available to certain signed-in users, but I don't even get to see them in action because of this exception. 我已经介绍了我自己的方法,以确保某些登录用户可以使用某些操作,但是由于这个例外,我什至看不到它们在执行中。 Is it supposed to work this way, just throwing itself at any PATCH request from an unrefreshed page after user authentication state change?
它是否应该以这种方式工作,在用户身份验证状态更改后,将其置于未刷新页面的任何PATCH请求上? Will my application become less secure if I change forgery protection mode to null_session or reset_session?
如果将防伪保护模式更改为null_session或reset_session,我的应用程序会变得不太安全吗?
Thank you very much 非常感谢你
This is normal and expected. 这是正常现象,是预期的。 You need to understand What are sessions?
您需要了解什么是会话?
In your app, sessions store in cookies. 在您的应用中,会话存储在cookie中。 browser tabs share cookies.
浏览器选项卡共享cookie。 It's the same if you open a browser window via another.
如果您通过另一个窗口打开浏览器窗口,也是如此。
For security reason, session should be reset after login/logout. 出于安全原因, 应在登录/注销后重置会话。 Devise is just doing his job.
Devise只是在做他的工作。
Once session is reseted, the old CSRF token is no longer valid. 会话重置后,旧的CSRF令牌将不再有效。 Thats why when you submit a POST request from the old tab, it raise InvalidAuthenticityToken.
这就是为什么当您从旧选项卡提交POST请求时,它会引发InvalidAuthenticityToken的原因。
For user experience, you can rescue InvalidAuthenticityToken error in controller, then redirect the user to a new page, or reload the page for the user with an error message. 为了获得用户体验,您可以挽救控制器中的InvalidAuthenticityToken错误,然后将用户重定向到新页面,或者使用错误消息为用户重新加载页面。
Hope this help. 希望对您有所帮助。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.