CSRF resets my session in Firefox

Hello all,   I've been trying to diagnose an issue with CSRF and Firefox specifically. I've got an ajax based form, using UJS (yes, I have csrf_meta_tag in my layout and I've tried adding the X-CSRF-Token header to the ajax beforeSend events without any luck)... The form just posts some data to an ajax method that creates, saves, and sets the session for a shopper as well as for a hit object, then returns some JSON. This works in Chrome and Safari (haven't tested IE yet), but Firefox is a no-go. Basically, the session gets reset by CSRF (I confirmed this by setting config.action_controller.allow_forgery_protection to false and it works), but the weird thing is that upon inspecting the session, I DO have a hit_id, but no shopper_id!! This completely breaks my form and is frustrating as hell :stuck_out_tongue:

I'm running on Rails 3.2.11 and Ruby 1.9.3p327. Any and all help would be appreciated!

Hello all,   I've been trying to diagnose an issue with CSRF and Firefox specifically. I've got an ajax based form, using UJS (yes, I have csrf_meta_tag in my layout and I've tried adding the X-CSRF-Token header to the ajax beforeSend events without any luck)... The form just posts some data to an ajax method that creates, saves, and sets the session for a shopper as well as for a hit object, then returns some JSON. This works in Chrome and Safari (haven't tested IE yet), but Firefox is a no-go. Basically, the session gets reset by CSRF (I confirmed this by setting config.action_controller.allow_forgery_protection to false and it works), but the weird thing is that upon inspecting the session, I DO have a hit_id, but no shopper_id!! This completely breaks my form and is frustrating as hell :stuck_out_tongue:

I'm running on Rails 3.2.11 and Ruby 1.9.3p327. Any and all help would be appreciated!

I expect you have done this (or an equivalent) already, but just in case, have you checked that the page contains valid html by pasting the complete page html into the w3c html validator?

Colin

Thanks for the response. Yeah, it's validating fine. I have discovered that the hit_id that I have in the session at the end is actually incremented by one, like it completely recreated the session, just without a shopper_id. Can't replicate in any other browser than firefox... (on Mac)

Hello all,   I've been trying to diagnose an issue with CSRF and Firefox specifically. I've got an ajax based form, using UJS (yes, I have csrf_meta_tag in my layout and I've tried adding the X-CSRF-Token header to the ajax beforeSend events without any luck)...

Instead of sending it as part of the header, have you tried sending it as part of the data? I'm not sure if it will make any difference (it should not) but it won't hurt to try.

After a couple days of debugging, I found out it was race conditions and totally unrelated to the CSRF... Turned out that CSRF was just a red herring. When the page was kicked off, there were a few asynchronous requests going on that was resetting the cookie. So for example, request A gets kicked off (that sets the shopper_id stuff) and request B gets kicked off at the same time (doesn't return the shopper_id), then request A finishes and sets the cookie (which has the shopper_id), but then request B comes back and overwrites that cookie thinking it was the original cookie.

Very confusing and hard to track down, but my coworker and I managed to figure it out.

Thanks all! - Jeff