nil can't be coerced into Fixnum

[fbjork]

When I share a session created in Phoenix with my Rails 4.2 app I get the following exception in my views when calling form_authenticity_token or csrf_meta_tags. Any ideas?

nil can't be coerced into Fixnum

comes from this line:

vendor/bundle/ruby/2.3.0/gems/actionpack-4.2.8/lib/action_controller/metal/request_forgery_protection.rb:321

def xor_byte_strings(s1, s2)
  s1.bytes.zip(s2.bytes).map { |(c1,c2)| c1 ^ c2 }.pack('c*')
end

[josevalim]

The tokens generated by Rails and Plug seem to have different length and Rails does not expect that:

irb(main):004:0> [1,2,3].zip([4,5]).map { |(c1,c2)| c1 ^ c2 }
TypeError: nil can't be coerced into Fixnum
    from (irb):4:in `^'

The best solution here is probably to guarantee that Rails and Plug use different CSRF tokens names in the session. I have just pushed a commit to Plug that will allow us to do so. In your deps in mix.exs:

{:plug, github: "elixir-lang/plug", override: true}

And in your router:

plug :protect_from_forgery, session_key: "_my_csrf_token_key"

Please let me know how it goes. The downside of this approach is that you can't POST from a Phoenix page to a Rails page though. If that's important, it may be necessary to guarantee their CSRF tokens are compatible (which would probably be an effort for this project).

Also note you will be using Plug master, which is unreleased, so if you find any failure, please let us know.

[paulnicholson]

@fbjork I just saw this issue, not sure if you already solved your problem. I created plug_rails_csrf_protection for this very reason. It's not just the token length but also how it is encoded/masked for the form that is different between Rails and the CSRFProtection plug. I have successfully used plug_rails_csrf_protection to post between Rails and Phoenix.

[cconstantin]

I missed this issue, duh. Is this still a problem?