Rails community, I have been investigating and debugging a serious, widespread problems with our Rails 4.1 app (I realize Rails 4.1 is no longer supported, see below.)
This is not a simple "pass the CSFR token from the form to the controller" question. This appears to me to be a serious, widespread architectural flaw in Rails 4.0 and Rails 4.1 that appear to basically make those versions of Rails essentially incompatible with newer browsers. (The newer browsers, by the way, appear not to be respecting Cache-control headers, which looks to me the like the root of the problem) The problem is detailed here: https://stackoverflow.com/questions/45329731/csrf-tokens-to-not-match-what-is-in-session-rails-4-1?noredirect=1#comment77622671_45329731 <https://stackoverflow.com/questions/45329731/csrf-tokens-to-not-match-what-is-in-session-rails-4-1?noredirect=1#comment77622671_45329731> Quick question: As explained here, I understand that the CSRF implementation to be different in Rails 5. Specifically, each form gets its own token. My question is this: Does this new design in Rails 5 eliminate or lessen the symptom described in my SO post above? If so, this would be a compelling reason for us to upgrade to Rails 5, as we think we are loosing a significant amount of traffic due to this bug. If not, I am wondering if others are seeing this too and what can be done to address this issue. -Jason ---- Jason Fleetwood-Boldt [email protected] http://www.jasonfleetwoodboldt.com/writing If you'd like to reply by encrypted email you can find my public key on jasonfleetwoodboldt.com <http://jasonfleetwoodboldt.com/> (more about setting GPG: https://gpgtools.org) -- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/rubyonrails-talk/3ABEAB17-6417-4FB6-94BC-6B853FB95176%40datatravels.com. For more options, visit https://groups.google.com/d/optout.
