Debugging Random Invalid Authenticity Token Errors

Question

Our production server has been producing invalid authenticity token errors for several months now. The errors are produced on almost all forms sending (PUT|POST|DELETE) requests. Sometimes the error occurs, sometimes they don't. There appears to be no rhyme or reason as to why they occur. The error itself does not occur often but it is a worry for us. Below is an example of what a typical form that causes this error looks like.

<form class="button_to" method="post" action="/lesson_progress_trackers/333">  
  <input type="hidden" name="_method" value="patch">
  <input class="finish-lesson-button" type="submit" value="Done!">
  <input type="hidden" name="authenticity_token" value="Qd3FsJZY2UXR9vahuFmaY5rrqA+J5xzGpl4cGI2Vwerx8PZPQtDMugz6oqoe3iviC+/U5zTYPdeX3apwbap09E==">
  <input type="hidden" name="completed" value="true">
</form>

Here's what I've discovered so far.

1. We use Turbolinks 2.5.3 (we have not updated this in over a year).
2. In every case of an invalid token error, the user passed an authenticity token to the server, it just ended up being invalid.
3. We currently use protect_from_forgery with: :exception in our application controller.
4. The errors started appearing when we pushed a bunch of new code to production several months ago. This new code spans hundreds of files but so far I've found nothing in the code that would be relevant to this issue.
5. The error can occur on any type of browser and device.
6. There is no correlation between increased traffic and the invalid auth tokens appearing.
7. Users can come from any country.
8. These are not bots experiencing these issues. We even had a colleague experience this error though they can't recall what they did to produce it.
9. The users follow typical if not expected behavior. They are using the app as intended. I looked through their clicks and recorded behavior history to conclude this.

Ultimately I want to figure out how to solve this. My first step is to reproduce the error successfully, but I can't even do that. My question is this: what can I do to get me on my way to figuring out what's causing this? I am running out of options. Thanks!

Answer 1

Dunno if this is too late to be useful, but I had the same problem. I was able to reproduce by:

1. Make sure you are signed out of the app
2. open a browser tab to the sign in page
3. Let it sit long enough to expire the session/csrf token (could be several hours)
4. open another tab to the sign-in page, and log in
5. go back to the old tab and try to log in again - The InvalidAuthenticityToken exception occurs.

I think that this happened for me because the two tabs shared a single session, the session that was created when the new tab was opened. However, the old tab still had the csrf token from the old session in the login form. When the new session cookie and the old csrf token were submitted together, they did not match and therefore the error is thrown.

I'm not sure how to actually fix this, other than handling the error more gracefully so that the user doesn't see a confusing error page.

BTW, I am using devise, but I don't think that it is specific to Devise.