Closed fdocr closed 2 years ago
signed: true
option may cause CSRF error in my application.
(Also in Rails 6.1.4.4 and redis-actionpack 5.2.0.)
Without signed: true
, my application works with Rails 7.0.1 and redis-actionpack daf3491
(commit hash).
@tabuchi0919 We're having similar issues and after some (actually a lot) of digging, I found the following comment:
https://github.com/redis-store/redis-store/issues/342#issuecomment-780915357
This explicitly mentions disabling signing when using the Redis store:
Think there might be a discrepancy with how Rails 6
signed: true
works vs the whole point of storing stuff in a centralized session store. In short, you probably don't want to use a centralized store if you're going to be signing and encrypting sessions, because a.) you don't need to, and b.) I don't know if it's possible.
Closing since it was clarified
When adding
redis-actionpack
directly frommaster
to test Rails 7 compatibility I'm running into a CSRF Token error.It's hard for me to debug this deeper, but from what I've found it seems that either
redis-actionpack
orredis-rack
are interfering with the wayactionpack
validates the CSRF Tokens.I created this example app which consists of a
rails new
(first commit) and then a second commit that adds a basic form (all on themain
branch).This PR (on that ^ same repo) adds the
config.session_store :redis_store
configuration. When adding this is when the error is reproduced. Maybe I'm missing something? Any ideas/suggestions would be greatly appreciated.I don't think it should make any difference, but I'm running macOS on an M1 machine.