We are seeing an unfortunate and likely browser-based CSRF token authenticity problem in our Rails 4.1 app. We are posting it here to ask the community if others are seeing it too.
Please be aware that most error reporting tools — like Honeybadger — automatically suppress ActionController::InvalidAuthenticityToken, so you don’t normally see the problem in your error reporting tool unless you go out of your way to see it.
Here’s the problem, and this is NOT a development issue — it is a production issue that has yet to be diagnosed.
The exception we see is simply ActionController::InvalidAuthenticityToken on normal logins to our website. Upon careful examination of the authenticity_token sent by the form and the session’s _csrf_token (we are using active_record_store as our session_store setting), they just don’t match. Upon direct examination, I can conclude only that they are completely different tokens, but I don’t know why.
This is not a simple newbie developer question, please DO NOT answer with basic answers about how the CSRF token needs to be passed from the client to the server, or how to skip forgery protection on my controllers. I am not interested hearing from anyone with either of those two answers: You don’t know what you’re talking about and you don’t understand the depth and complexity of the issue. I am only interested in hearing from people with high-traffic websites who have can confirm this is happening on a non-insignificant number of visitors (and strangely seems to affect certain browsers more often than other browsers.)
We see this problem broadly, maybe about 1-2% of our high traffic website. I see it only in Production, I am unable to reproduce it in development whatsoever.
I see it on IE 11 and Edge browsers most (you will note Rails 4.1 was released before IE 11 and Edge), but also on Chrome on Android and occasionally mobile Safari too.