CSRF resets my session in Firefox

Hello all,
  I've been trying to diagnose an issue with CSRF and Firefox
specifically. I've got an ajax based form, using UJS (yes, I have
csrf_meta_tag in my layout and I've tried adding the X-CSRF-Token header
to the ajax beforeSend events without any luck)... The form just posts
some data to an ajax method that creates, saves, and sets the session
for a shopper as well as for a hit object, then returns some JSON. This
works in Chrome and Safari (haven't tested IE yet), but Firefox is a
no-go. Basically, the session gets reset by CSRF (I confirmed this by
setting config.action_controller.allow_forgery_protection to false and
it works), but the weird thing is that upon inspecting the session, I DO
have a hit_id, but no shopper_id!! This completely breaks my form and is
frustrating as hell :stuck_out_tongue:

I'm running on Rails 3.2.11 and Ruby 1.9.3p327. Any and all help would
be appreciated!

Hello all,
  I've been trying to diagnose an issue with CSRF and Firefox
specifically. I've got an ajax based form, using UJS (yes, I have
csrf_meta_tag in my layout and I've tried adding the X-CSRF-Token header
to the ajax beforeSend events without any luck)... The form just posts
some data to an ajax method that creates, saves, and sets the session
for a shopper as well as for a hit object, then returns some JSON. This
works in Chrome and Safari (haven't tested IE yet), but Firefox is a
no-go. Basically, the session gets reset by CSRF (I confirmed this by
setting config.action_controller.allow_forgery_protection to false and
it works), but the weird thing is that upon inspecting the session, I DO
have a hit_id, but no shopper_id!! This completely breaks my form and is
frustrating as hell :stuck_out_tongue:

I'm running on Rails 3.2.11 and Ruby 1.9.3p327. Any and all help would
be appreciated!

I expect you have done this (or an equivalent) already, but just in
case, have you checked that the page contains valid html by pasting
the complete page html into the w3c html validator?

Colin

Thanks for the response. Yeah, it's validating fine. I have discovered
that the hit_id that I have in the session at the end is actually
incremented by one, like it completely recreated the session, just
without a shopper_id. Can't replicate in any other browser than
firefox... (on Mac)

Hello all,
  I've been trying to diagnose an issue with CSRF and Firefox
specifically. I've got an ajax based form, using UJS (yes, I have
csrf_meta_tag in my layout and I've tried adding the X-CSRF-Token header
to the ajax beforeSend events without any luck)...

Instead of sending it as part of the header, have you tried sending it as
part of the data? I'm not sure if it will make any difference (it should
not)
but it won't hurt to try.

After a couple days of debugging, I found out it was race conditions and
totally unrelated to the CSRF... Turned out that CSRF was just a red
herring. When the page was kicked off, there were a few asynchronous
requests going on that was resetting the cookie. So for example, request
A gets kicked off (that sets the shopper_id stuff) and request B gets
kicked off at the same time (doesn't return the shopper_id), then
request A finishes and sets the cookie (which has the shopper_id), but
then request B comes back and overwrites that cookie thinking it was the
original cookie.

Very confusing and hard to track down, but my coworker and I managed to
figure it out.

Thanks all!
- Jeff