When using Rack::Attack::AuthenticityToken, I keep running into following problem.
I have a AJAX api for retrieving the authenticity token value. When I perform any non-GET request, I retrieve the current token value from API, carefully avoiding caches by setting cache control to private, expires to 0 and using ?t=current unixtime. This is done just before the request is sent.
However, I only get random success this way, I keep getting 403 forbidden despite my best efforts. By setting reaction to report and dumping the values, I get
When using Rack::Attack::AuthenticityToken, I keep running into following problem.
I have a AJAX api for retrieving the authenticity token value. When I perform any non-GET request, I retrieve the current token value from API, carefully avoiding caches by setting cache control to private, expires to 0 and using ?t=current unixtime. This is done just before the request is sent.
However, I only get random success this way, I keep getting 403 forbidden despite my best efforts. By setting reaction to report and dumping the values, I get
which is a mismatch.
I cannot understand how the token can change between retrieval and performing the request. Is this a bug or misuse from my part?
I am using: