Repository is archived
No commit activity in last 3 years
No release in over 3 years
Rails 5 default protect_from_forgery is to raise an exception. Some browsers trigger this exception by caching pages. This gem rescues the InvalidAuthenticityToken exception, triggers ExceptionNotifier, and redirects to the login page.
2005
2006
2007
2008
2009
2010
2011
2012
2013
2014
2015
2016
2017
2018
2019
2020
2021
2022
2023
2024
 Dependencies

Development

Runtime

< 5.2, >= 5.0.0
 Project Readme

InvalidAuthenticityTokenRescue

Rails 5 default protect_from_forgery is to raise an exception. Some browsers trigger this exception by caching pages. This gem rescues the InvalidAuthenticityToken exception, triggers ExceptionNotifier, and redirects to the login page. For more details and steps to reprodcue the problem see this issue: rails/rails#21948.

With the default Rails 5 settings users receive an error page when an InvalidAuthenticityToken is raised. For actual malicious requests this would be fine. However, with the way some broswers cache pages legitimate users are getting these error pages and sometimes make repreated unsuccessful attempts to sumbmit a form.

With this gem in place when an InvalidAuthenticityToken is raised it will be rescued. The error information is captured and notifications are sent to developers. The user will be redirected to new_session_path with flash warning set to "Your session has expired, please log in again".

ExceptionNotification Gem Required

Install and congiure the exception_notifcation gem first to receive notifications when InvalidAuthenticityToken exceptions are raised.

Installation

Add this line to your application's Gemfile:

gem 'invalid_authenticity_token_rescue'

Add rescue_from_invalid_authenticity_token to your ApplicationController:

class ApplicationController < ActionController::Base
  protect_from_forgery with: :exception
  rescue_from_invalid_authenticity_token
  ...
end

Add skip_before_action to public forms (optional):

class SessionsController < ApplicationController
  skip_before_action :verify_authenticity_token, only: :create
  ...
end

Adding skip_before_action to public forms is optional but will improve user experience. Rails protect_from_forgery is intended to prevent a logged in user's credentials from being maliciously used to submit a form as that user. Publicly accessible forms, like a login page, that do not rely on a currently logged in user are not susceptible to forgery attacks.

Adding skip_before_action will allow the request to complete and the users session to be setup with the correct token. Subsequent forms submitted by the user will complete successfully. If skip_before_action is not added the user will be redirected to the login page and notifed that their session has expired and they need to login again.

Configuration

The default redirect_path is new_session_path. This can be set to a different value with an initializer.

# config/initializers/invalid_authenticity_token_rescue.rb
InvalidAuthenticityTokenRescue.configure do |config|
  config.redirect_path = 'sign_in_path'
end

Contributing

Bug reports and pull requests are welcome on GitHub at https://github.com/wwidea/invalid_authenticity_token_rescue.

License

The gem is available as open source under the terms of the MIT License.