sinatra / rack-protection

NOTE: This project has been merged upstream to sinatra/sinatra
https://github.com/sinatra/sinatra/tree/master/rack-protection
818 stars 58 forks source link

Token changes between retrieval and request #89

Closed cmouse closed 10 years ago

cmouse commented 10 years ago

When using Rack::Attack::AuthenticityToken, I keep running into following problem.

I have a AJAX api for retrieving the authenticity token value. When I perform any non-GET request, I retrieve the current token value from API, carefully avoiding caches by setting cache control to private, expires to 0 and using ?t=current unixtime. This is done just before the request is sent.

However, I only get random success this way, I keep getting 403 forbidden despite my best efforts. By setting reaction to report and dumping the values, I get

{"token":"e9fd1b32b24fe28a269e1b5ae133247b","session":"44df68d49e7f9977238662f53fd28cc6"}

which is a mismatch.

I cannot understand how the token can change between retrieval and performing the request. Is this a bug or misuse from my part?

I am using:

cmouse commented 10 years ago

This was due to mishandling of session cookies.