Rails CSRF 令牌 - 它们会过期吗? [英] Rails CSRF Tokens - Do they expire?

问题描述

我注意到，如果您使用无效的 CSRF 令牌发帖，rails/devise 会自动将您注销.

I've noticed that if you post with an invalid CSRF token, rails/devise automatically signs you out.

我有一个不刷新页面的应用程序，用户长时间坐在实时页面上.用户时不时地被踢出.我想知道 CSRF 令牌是否到期，使其无效.

I have an application that doesn't refresh the page, and users sit on the real-time page for a long time. Every now and then the user gets kicked out. I'm wondering if the CSRF token is expiring, making it invalid.

这就是我要学习的原因，Rails CSRF 令牌会过期吗?某处有时间设置吗?

Which is why I'm trying to learn, does Rails CSRF tokens expire? Is there a time setting somewhere?

谢谢

推荐答案

Rails 中的 CSRF 保护通过在提交的表单和用户会话中存储一个随机值作为字段来工作.如果提交表单时这些值不匹配，Rails 会拒绝表单提交请求.

CSRF protection in Rails works by storing a random value as a field in the form being submitted, and also in the user session. If the values don't match when a form is submitted, Rails rejects the form submission request.

如果您在 Rails 中使用默认 cookie 会话存储，则会话不会过期(直到 cookie 过期).如果您正在使用其他东西(文件或数据库支持的会话)，那么是的，如果这些会话过期，表单提交将失败并出现 CSRF 错误.

If you're using the default cookie session store in Rails, then sessions won't expire (until the cookie does). If you're using something else (file or DB backed sessions), then yes, if those sessions expire, the form submission will fail with a CSRF error.

因此，如果您使用基于 cookie 的会话(默认设置)，请检查 cookie 的有效期.如果这看起来没问题，那可能是其他问题.

So if you're using cookie based sessions (the default), check the cookie expiry. If that looks OK, it's probably some other issue.

这篇关于Rails CSRF 令牌 - 它们会过期吗?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！