Rails4 ActionController::InvalidAuthenticityToken 错误 [英] Rails4 ActionController::InvalidAuthenticityToken error

问题描述

我在生产环境中运行 Rails4 应用程序，我的访问者偶尔会遇到 ActionController::InvalidAuthenticityToken 错误，我无法重现该错误.我每天收到 2-4 条各种形式的通知，背后没有明确的逻辑.我收到的报告显示，表单提交的authenticity_token 与会话中保存的不同.这怎么可能?我自己设法遇到了几次问题，但是无法重现，突然之间表单的真实性_token 与存储在会话中的不同，并且出现了 InvalidAuthenticityToken.
任何想法从哪里开始寻找?

示例:

I have Rails4 application running in production, and my visitors run occasionally into ActionController::InvalidAuthenticityToken error, which I cant reproduce. I get 2-4 daily notifications from various forms, with no clear logic behind. The report I receive shows that authenticity_token submitted by the form is different from one kept in session. How is it possible? I managed to run into the problem myself few times, however it's impossible to reproduce, all of sudden authenticity_token for the form is different from the one stored in session and InvalidAuthenticityToken arises.
Any ideas where to start looking?

Example:

 Request:
-------------------------------

  * URL        : https://domain/signin
  * HTTP Method: POST
  * IP address : 113.96.xx.xx
  * Parameters : {"utf8"=>"✓", "authenticity_token"=>"MOh9JDE1AZ0CbIw/M33vfhjRShwzI6oqMhi8lk+n7OE=", "email"=>"xxxx@xxx", "password"=>"[FILTERED]", "commit"=>"Sign In", "controller"=>"clients", "action"=>"signin", "locale"=>"en"}

-------------------------------
Session:
-------------------------------

  * session id: [FILTERED]
  * data: {"_csrf_token"=>"QazCSVGeZlxEh83XTM+f5PkC/zopwCF96yV4duRats0="}

更新:想补充一点，我通过两个负载均衡的 AWS EC2 实例提供页面，并将会话存储在 Redis ElastiCache 实例中

Update: Wanted to add that I'm serving the pages via two load balanced AWS EC2 instances, and store sessions in Redis ElastiCache instance

推荐答案

为了回答我自己的问题，以防有人遇到同样的问题，从标题中删除 csrf_meta_tag 似乎为我们解决了这个问题.我不知道为什么.可能是负责设置 auth_token 的 rails javascript 以某种方式干扰了我们的 javascript 并导致了问题，但我的直觉是它必须与缓存有关，无论是在服务器端还是客户端.无论如何，在删除 csrf_meta_tag 之后，我们似乎摆脱了这个问题.只需确保您对所有表单都使用 form_tag.

To answer my own question, in case someone runs into the same issue, it seems like removing csrf_meta_tag from the header fixed the problem for us. I dont know why. Could be that rails javascript responsible for setting the auth_token was interfering in some way with our javascript and caused the problem, but my gut feeling is that it had to so something with cache, either on server or client side. Anyway, after removing csrf_meta_tag it seems like we got rid of the problem. Just make sure you're using the form_tag for all your forms.

这篇关于Rails4 ActionController::InvalidAuthenticityToken 错误的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！