I spoke to a couple people who are running into this problem and they are using the form on the website to login just like everyone else.
I spoke to a couple people who are running into this problem and they are using the form on the website to login just like everyone else.It is a post request: <form action="/session" method="post">How do I check that the form_authenticity_token matches the given _token value?
What makes this weird is 95% of people can get in no problem what so ever. It is some of the people some of the time. That is what is confusing? Is is where I set my session values?Here is session#create:
def create@user = User.authenticate(params[:nickname], params[:password])if @userset_user_session(@user)@user.set_last_logged_in_to_nowredirect_to session[:return_to].nil? ? home_path : session[:return_to]elseflash[:error] = "Hmmm, we were not able to find you. You sure you entered your nickame and password correctly?"redirect_to root_pathendendDoes this help?
> I am not doing any caching what so ever unless Rails 2 and 2.1 did
> caching out of the box.
>
> The stack trace only gives me the only value... not the other.
>
> Any other suggestions? :-( Any fixes? :-(
Do you reset the session on login? If you do reset the session and if
the user later hits the back button and logs in again then they will
be logging in from the browser's cached copy of the login page (ie
with the old authenticity token)
Fred
> No I do not. The person comes straight to the page. Trys to login
> and boom... gets an InvalidAuthenticityToken... are any parts of the
> token stored in the cookie store? This does not happen to everyone
> just some people.
The value which gets hashed to produce the token is stored in the
session (ie in the cookie).
> I have no clue why but maybe it is truncated in the cookie and ends
> up not matching.
>
An exception should be raised if that happens.
> At a maximum this is what I store in a session:
>
> session[:return_to] = request.env['REQUEST_PATH']
> session[:user] = user.id
> session[:nickname] = user.nickname
> session[:sex] = user.sex
> session[:country_id] = user.country_id
> session[:administrative_area_id] = user.administrative_area_id
> and flash notices...
>
> Maybe I need to change session storage?
>
You could give it a go, but I doubt it will change much.
Have you glanced through your log files to see if there;s anything
abnormal or unusual about the people who are affected? There are race
conditions with sessions if users have more than one request, is that
a possibility?
> Not from what I can tell. Can you give me any examples that would
> cause race conditions? Double clicking login?
For example if you load the page with the login box simultaneously
(and you don't yet have a session cookie) then you'll get two entirely
separate session cookies or if a page fired two ajax requests that
happened to overlap. I know there are some tools (virus scanners, 'web
accelerators') that preemptively load pages before you click on the
link, could be a factor
Other than that I can't think of anything better than finding an
example where it did happen, pull all the requests from that ip
address from your log file and go over it with a fine comb.
If you are using the cookie store, session ids look like
BAh7BiIKZmxhc2hJQzonQWN0aW9uQ29udHJvbGxlcjo6Rmxhc2g6OkZsYXNo
%0ASGFzaHsABjoKQHVzZWR7AA%3D%3D--
ebdc89d60a4349db4222e46665474e561b7a230b
if you take the first portion, you can extract what was in their
session:
Marshal
.load
(CGI
.unescape
( "BAh7BiIKZmxhc2hJQzonQWN0aW9uQ29udHJvbGxlcjo6Rmxhc2g6OkZsYXNo
%0ASGFzaHsABjoKQHVzZWR7AA%3D%3D").unpack('m*').first)
=> {"flash"=>{}}
So I had an empty session with just the flash.
I'd probably write a script that would munch through the log files
and print each request from the person in question along with what was
in the session and try and workout what happened.
Fred