[英]random ActionController::InvalidAuthenticityToken in my rails app
There is random CSRF errors on my app with ActionController::InvalidAuthenticityToken
.我的应用程序上有随机的 CSRF 错误ActionController::InvalidAuthenticityToken
。 Like, one out of 100 requests or more.比如,100 个请求中就有一个或更多。 Why would those errors appears randomly like this?为什么这些错误会像这样随机出现?
I got them on some regular <%= form_with %>
tag, some on javascript post (but it works most of the time because I add the meta[name='csrf-token']
as X-CSRF-TOKEN
every time), some on devise/registrations#create
, etc...我在一些常规的<%= form_with %>
标签上找到了它们,一些在 javascript 帖子上(但它大部分时间都有效,因为我每次都将meta[name='csrf-token']
为X-CSRF-TOKEN
),一些关于devise/registrations#create
等...
Why would it happen sometimes and not every time?为什么它有时会发生而不是每次都会发生?
Regards问候
A CSRF token will expire when a Rails session expire (except for some configurations).当 Rails 会话过期时,CSRF 令牌将过期(某些配置除外)。
If an user has a form displayed on a page, go away for a few dozen of minutes (depends of session duration), and comes back filling the form, the session (and token) may have expired.如果用户在页面上显示了一个表单,离开几十分钟(取决于会话持续时间),然后重新填写表单,则会话(和令牌)可能已过期。 Then at submission Rails will raises InvalidAuthenticityToken
error.然后在提交时 Rails 将引发InvalidAuthenticityToken
错误。
More about that here Rails CSRF Tokens - Do they expire?更多关于这里Rails CSRF 令牌 - 它们会过期吗?
Another scenario involves (bad) bots : a bot could submit the form without using the token.另一种情况涉及(坏)机器人:机器人可以在不使用令牌的情况下提交表单。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.