forgery protection for multiple browser tabs

Hi,

http://apidock.com/rails/ActionController/RequestForgeryProtection only maintains one CSRF token at a time. When a user visits some site, he gets a new token in the session. He then might open a linked site of the same rails app in a new browser tab (maybe some info he’d like to read), and again he will get a new token. Then he changes to the first tab again and submits a form on that site (e.g. registration). Then he will get an InvalidAuthenticityToken error, but it was a legal and common user behavior rather that request forgery.

  • Is there a way to store e.g. a map with POST URLs as keys and CSFR tokens as values?
  • Or storing a list of the last n CSFR tokens? The authentication procedure should then first check the newest token etc.

Luma

any comments?

Why would opening a new tab get you a different csrf token?

Fred

Does the new tab re-request the page?

You’re right, sorry…

The invalid authenticity tokens are happening ~1x per day in average and with all kinds of forms in my app. Could it be that the token was outdated because the page was in the browser cache of the user? If so, how do you deal with that? might be overkill… How can we include this only for pages that include forms with authenticity tokens?

Martin

In some situations a new session was created because the user was logging in/out. Could I copy the old CSRF-token into the new session, or would there be any security leak?

In other cases the user was not logging in/out and didn’t get a new session. Maybe the page was cached in the browser, so I added in my layout now.