copy the session of csrf-toekn before reset session

pelargir / auto-session-timeout

Provides automatic session timeout in a Rails application.

MIT License

126 stars 63 forks source link

copy the session of csrf-toekn before reset session #20

Closed killernova closed 7 years ago

killernova commented 7 years ago

The reason of 'CSRF token invalid' is because all the session is removed, but the csrf-toekn session really should not be included in those clear groups. So just copy the original session[:_csrf_token] and assign back after reset session would help to solve the problem. In this way, user do not have to modify any code.

pelargir commented 7 years ago

Thanks for this idea. I think a better solution is simply to exclude both controller actions from the CSRF verification completely. I've built and published a new version of the gem (0.9.5) which does this. Please give it a try and let me know if you experience further problems.

killernova commented 7 years ago

The latest version helps this problem, thanks.