Sign Up to our social questions and Answers Engine to ask questions, answer people’s questions, and connect with other people.
Login to our social questions & Answers Engine to ask questions answer people’s questions & connect with other people.
Lost your password? Please enter your email address. You will receive a link and will create a new password via email.
Please briefly explain why you feel this question should be reported.
Please briefly explain why you feel this answer should be reported.
Please briefly explain why you feel this user should be reported.
I’ve noticed that if you post with an invalid CSRF token, rails/devise automatically signs you out.
I have an application that doesn’t refresh the page, and users sit on the real-time page for a long time. Every now and then the user gets kicked out. I’m wondering if the CSRF token is expiring, making it invalid.
Which is why I’m trying to learn, does Rails CSRF tokens expire? Is there a time setting somewhere?
Thanks
CSRF protection in Rails works by storing a random value as a field in the form being submitted, and also in the user session. If the values don’t match when a form is submitted, Rails rejects the form submission request.
If you’re using the default cookie session store in Rails, then sessions won’t expire (until the cookie does). If you’re using something else (file or DB backed sessions), then yes, if those sessions expire, the form submission will fail with a CSRF error.
So if you’re using cookie based sessions (the default), check the cookie expiry. If that looks OK, it’s probably some other issue.