After a couple days of debugging, I found out it was race conditions and totally unrelated to the CSRF... Turned out that CSRF was just a red herring. When the page was kicked off, there were a few asynchronous requests going on that was resetting the cookie. So for example, request A gets kicked off (that sets the shopper_id stuff) and request B gets kicked off at the same time (doesn't return the shopper_id), then request A finishes and sets the cookie (which has the shopper_id), but then request B comes back and overwrites that cookie thinking it was the original cookie.
Very confusing and hard to track down, but my coworker and I managed to figure it out. Thanks all! - Jeff -- Posted via http://www.ruby-forum.com/. -- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
