在另一个选项卡中进行Devise登录/注销后,InvalidAuthenticityToken
[英]InvalidAuthenticityToken after Devise login/logout in another tab
问题描述
I have some problems with the InvalidAuthenticityToken exception when changing user authentication state in different tabs. 
在其他选项卡中更改用户身份验证状态时,InvalidAuthenticityToken异常有一些问题。
My app is quite simple. 我的应用程序很简单。 In fact, just a basic learning app for my studies. 实际上,这只是我学习的基本学习应用程序。 https://github.com/antonkoh/railsrep/tree/master/lesson17/my_app https://github.com/antonkoh/railsrep/tree/master/lesson17/my_app
It uses Devise gem for authentication: 它使用Devise gem进行身份验证:
<%= link_to "Sign out", destroy_user_session_path, method: :delete %>
<%= link_to "Sign in", new_user_session_path %>
protect_from_forgery is set to :exception as it is a browser app, nothing API related yet. protected_from_forgery设置为:exception,因为它是浏览器应用程序,与API无关。
I do have <%= csrf_meta_tags %> specified in my layout. 我的布局中确实指定了<%= csrf_meta_tags%>。
The problem is reproduced in many different ways. 该问题以许多不同的方式重现。 Just a couple general examples: 只是几个一般的例子:
- On tab AI open a form to add/edit a post as an anonymous user. 在AI选项卡上,打开一个表单以匿名用户身份添加/编辑帖子。
- On tab BI sign in as any user. 在BI选项卡上,以任何用户身份登录。
- Back on tab AI try to add the post Result: InvalidAuthenticityToken 返回选项卡AI尝试添加帖子结果:InvalidAuthenticityToken
or 要么
- On tab AI open a list of posts as a signed-in user. 在AI选项卡上,以登录用户身份打开帖子列表。
- On tab BI sign out. 在选项卡BI上注销。
- Back on tab AI try to destroy a post. 返回标签AI尝试销毁帖子。 Result: InvalidAuthenticityToken 结果:InvalidAuthenticityToken
I have introduced my own means to make sure that certain actions are available to certain signed-in users, but I don't even get to see them in action because of this exception. 我已经介绍了我自己的方法,以确保某些登录用户可以使用某些操作,但是由于这个例外,我什至看不到它们在执行中。 Is it supposed to work this way, just throwing itself at any PATCH request from an unrefreshed page after user authentication state change? 它是否应该以这种方式工作,在用户身份验证状态更改后,将其置于未刷新页面的任何PATCH请求上? Will my application become less secure if I change forgery protection mode to null_session or reset_session? 如果将防伪保护模式更改为null_session或reset_session,我的应用程序会变得不太安全吗?
Thank you very much 非常感谢你
1 个解决方案
解决方案1
0 2015-11-28 18:34:51
This is normal and expected. 这是正常现象,是预期的。 You need to understand What are sessions? 您需要了解什么是会话?
In your app, sessions store in cookies. 在您的应用中,会话存储在cookie中。 browser tabs share cookies. 浏览器选项卡共享cookie。 It's the same if you open a browser window via another. 如果您通过另一个窗口打开浏览器窗口,也是如此。
For security reason, session should be reset after login/logout. 出于安全原因, 应在登录/注销后重置会话。 Devise is just doing his job. Devise只是在做他的工作。
Once session is reseted, the old CSRF token is no longer valid. 会话重置后,旧的CSRF令牌将不再有效。 Thats why when you submit a POST request from the old tab, it raise InvalidAuthenticityToken. 这就是为什么当您从旧选项卡提交POST请求时,它会引发InvalidAuthenticityToken的原因。
For user experience, you can rescue InvalidAuthenticityToken error in controller, then redirect the user to a new page, or reload the page for the user with an error message. 为了获得用户体验,您可以挽救控制器中的InvalidAuthenticityToken错误,然后将用户重定向到新页面,或者使用错误消息为用户重新加载页面。
Hope this help. 希望对您有所帮助。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.