Closed fdocr closed 2 years ago
tabuchik
commented
2 years ago signed: true option may cause CSRF error in my application.
(Also in Rails 6.1.4.4 and redis-actionpack 5.2.0.)
Without signed: true, my application works with Rails 7.0.1 and redis-actionpack daf3491(commit hash).
citizen428
commented
2 years ago @tabuchi0919 We're having similar issues and after some (actually a lot) of digging, I found the following comment:
https://github.com/redis-store/redis-store/issues/342#issuecomment-780915357
This explicitly mentions disabling signing when using the Redis store:
Think there might be a discrepancy with how Rails 6
signed: trueworks vs the whole point of storing stuff in a centralized session store. In short, you probably don't want to use a centralized store if you're going to be signing and encrypting sessions, because a.) you don't need to, and b.) I don't know if it's possible.
fdocr
commented
2 years ago Closing since it was clarified
When adding
redis-actionpackdirectly frommasterto test Rails 7 compatibility I'm running into a CSRF Token error.It's hard for me to debug this deeper, but from what I've found it seems that either
redis-actionpackorredis-rackare interfering with the wayactionpackvalidates the CSRF Tokens.I created this example app which consists of a
rails new(first commit) and then a second commit that adds a basic form (all on themainbranch).This PR (on that ^ same repo) adds the
config.session_store :redis_storeconfiguration. When adding this is when the error is reproduced. Maybe I'm missing something? Any ideas/suggestions would be greatly appreciated.I don't think it should make any difference, but I'm running macOS on an M1 machine.