gustaflindqvist
commented
8 years ago This was a behaviour changed to fix a security vulnerability in light of new research:
http://weblog.rubyonrails.org/2011/2/8/csrf-protection-bypass-in-ruby-on-rails
Closed isness closed 8 years ago
gustaflindqvist
commented
8 years ago This was a behaviour changed to fix a security vulnerability in light of new research:
http://weblog.rubyonrails.org/2011/2/8/csrf-protection-bypass-in-ruby-on-rails
Hello everyone,
I'm using devise_ldap_authenticatable to authenticate ActiveDirectory users to access my web app. The application seems to be unable to end the user session on IE11.
The error happens when user clicks "sign out" link and only if he is using IE11. The session remains active and by clicking on other links user is able to view pages that he shouldn't be able to see after logging out. How can I solve this problem? Firefox and Google Chrome are working as expected (user gets redirected to login page). In my application.html.erb I have: <%= link_to('Sign out', destroy_user_session_path, :method => :delete) %>
My ApplicationController.rb: if Rails.env.production? then before_filter :authenticate_user! end rescue_from DeviseLdapAuthenticatable::LdapException do |exception| render :text => exception, :status => 500 end protect_from_forgery end
I also noticed I'm getting WARNING: Can't verify CSRF token authenticity error in the log when logging out. After this error I can just click "Back" and return to the session.