프로덕션 사이트에서 자발적으로 신뢰성있는 토큰 거부 이유

Question

My Rails 응용 프로그램에서 때때로 ActionController :: InvalidAuthenticityToken을 throw합니다. 그것은 한 달에 한 번 정도 자발적으로 발생합니다. CSRF 공격을 시도하는 다른 사이트가 있다고 생각하지 않기 때문에이 드문 사건에 대한 생각을 시작했습니다. 지금까지의 내 결론 :

• 무작위 로봇?
• 양식이 너무 오래 만료되어 서버에서 만료되는 사람들이 있습니까?

위양성 거부 반응에 대한 다른 이유가 있습니까?

그리고 CSRF 당신은 예외를 던지는 대신 프로덕션 환경에서 세션을 널 (null) 아마해야

F, [2016-12-06T16:03:59.050673 #15136] FATAL -- : 
ActionController::InvalidAuthenticityToken (ActionController::InvalidAuthenticityToken): 
    actionpack (4.2.7) lib/action_controller/metal/request_forgery_protection.rb:181:in `handle_unverified_request' 
    actionpack (4.2.7) lib/action_controller/metal/request_forgery_protection.rb:209:in `handle_unverified_request' 
    devise (4.2.0) lib/devise/controllers/helpers.rb:253:in `handle_unverified_request' 
    actionpack (4.2.7) lib/action_controller/metal/request_forgery_protection.rb:204:in `verify_authenticity_token' 
    activesupport (4.2.7) lib/active_support/callbacks.rb:432:in `block in make_lambda' 
    activesupport (4.2.7) lib/active_support/callbacks.rb:164:in `block in halting' 
    activesupport (4.2.7) lib/active_support/callbacks.rb:504:in `block in call' 
    activesupport (4.2.7) lib/active_support/callbacks.rb:504:in `each' 
    activesupport (4.2.7) lib/active_support/callbacks.rb:504:in `call' 
    activesupport (4.2.7) lib/active_support/callbacks.rb:92:in `__run_callbacks__' 
    activesupport (4.2.7) lib/active_support/callbacks.rb:778:in `_run_process_action_callbacks' 
    activesupport (4.2.7) lib/active_support/callbacks.rb:81:in `run_callbacks' 
    actionpack (4.2.7) lib/abstract_controller/callbacks.rb:19:in `process_action' 
    actionpack (4.2.7) lib/action_controller/metal/rescue.rb:29:in `process_action' 
    actionpack (4.2.7) lib/action_controller/metal/instrumentation.rb:32:in `block in process_action' 
    activesupport (4.2.7) lib/active_support/notifications.rb:164:in `block in instrument' 
    activesupport (4.2.7) lib/active_support/notifications/instrumenter.rb:20:in `instrument' 
    activesupport (4.2.7) lib/active_support/notifications.rb:164:in `instrument' 
    actionpack (4.2.7) lib/action_controller/metal/instrumentation.rb:30:in `process_action' 
    actionpack (4.2.7) lib/action_controller/metal/params_wrapper.rb:250:in `process_action' 
    actionpack (4.2.7) lib/abstract_controller/base.rb:137:in `process' 
    actionview (4.2.7) lib/action_view/rendering.rb:30:in `process' 
    actionpack (4.2.7) lib/action_controller/metal.rb:196:in `dispatch' 
    actionpack (4.2.7) lib/action_controller/metal/rack_delegation.rb:13:in `dispatch' 
    actionpack (4.2.7) lib/action_controller/metal.rb:237:in `block in action' 
    actionpack (4.2.7) lib/action_dispatch/routing/route_set.rb:74:in `dispatch' 
    actionpack (4.2.7) lib/action_dispatch/routing/route_set.rb:43:in `serve' 
    actionpack (4.2.7) lib/action_dispatch/routing/mapper.rb:49:in `serve' 
    actionpack (4.2.7) lib/action_dispatch/journey/router.rb:43:in `block in serve' 
    actionpack (4.2.7) lib/action_dispatch/journey/router.rb:30:in `each' 
    actionpack (4.2.7) lib/action_dispatch/journey/router.rb:30:in `serve' 
    actionpack (4.2.7) lib/action_dispatch/routing/route_set.rb:817:in `call' 
    turnout (2.3.1) lib/rack/turnout.rb:25:in `call' 
    omniauth (1.3.1) lib/omniauth/strategy.rb:186:in `call!' 
    omniauth (1.3.1) lib/omniauth/strategy.rb:164:in `call' 
    omniauth (1.3.1) lib/omniauth/strategy.rb:186:in `call!' 
    omniauth (1.3.1) lib/omniauth/strategy.rb:164:in `call' 
    rack-attack (4.4.1) lib/rack/attack.rb:107:in `call' 
    exception_notification (4.2.1) lib/exception_notification/rack.rb:32:in `call' 
    warden (1.2.6) lib/warden/manager.rb:35:in `block in call' 
    warden (1.2.6) lib/warden/manager.rb:34:in `catch' 
    warden (1.2.6) lib/warden/manager.rb:34:in `call' 
    rack (1.6.4) lib/rack/etag.rb:24:in `call' 
    rack (1.6.4) lib/rack/conditionalget.rb:38:in `call' 
    rack (1.6.4) lib/rack/head.rb:13:in `call' 
    actionpack (4.2.7) lib/action_dispatch/middleware/params_parser.rb:27:in `call' 
    actionpack (4.2.7) lib/action_dispatch/middleware/flash.rb:260:in `call' 
    rack (1.6.4) lib/rack/session/abstract/id.rb:225:in `context' 
    rack (1.6.4) lib/rack/session/abstract/id.rb:220:in `call' 
    actionpack (4.2.7) lib/action_dispatch/middleware/cookies.rb:560:in `call' 
    actionpack (4.2.7) lib/action_dispatch/middleware/callbacks.rb:29:in `block in call' 
    activesupport (4.2.7) lib/active_support/callbacks.rb:88:in `__run_callbacks__' 
    activesupport (4.2.7) lib/active_support/callbacks.rb:778:in `_run_call_callbacks' 
    activesupport (4.2.7) lib/active_support/callbacks.rb:81:in `run_callbacks' 
    actionpack (4.2.7) lib/action_dispatch/middleware/callbacks.rb:27:in `call' 
    actionpack (4.2.7) lib/action_dispatch/middleware/remote_ip.rb:78:in `call' 
    actionpack (4.2.7) lib/action_dispatch/middleware/debug_exceptions.rb:17:in `call' 
    actionpack (4.2.7) lib/action_dispatch/middleware/show_exceptions.rb:30:in `call' 
    railties (4.2.7) lib/rails/rack/logger.rb:38:in `call_app' 
    railties (4.2.7) lib/rails/rack/logger.rb:20:in `block in call' 
    activesupport (4.2.7) lib/active_support/tagged_logging.rb:68:in `block in tagged' 
    activesupport (4.2.7) lib/active_support/tagged_logging.rb:26:in `tagged' 
    activesupport (4.2.7) lib/active_support/tagged_logging.rb:68:in `tagged' 
    railties (4.2.7) lib/rails/rack/logger.rb:20:in `call' 
    ahoy_matey (1.4.2) lib/ahoy/engine.rb:22:in `call_with_quiet_ahoy' 
    request_store (1.3.1) lib/request_store/middleware.rb:9:in `call' 
    actionpack (4.2.7) lib/action_dispatch/middleware/request_id.rb:21:in `call' 
    rack (1.6.4) lib/rack/methodoverride.rb:22:in `call' 
    rack (1.6.4) lib/rack/runtime.rb:18:in `call' 
    activesupport (4.2.7) lib/active_support/cache/strategy/local_cache_middleware.rb:28:in `call' 
    rack (1.6.4) lib/rack/sendfile.rb:113:in `call' 
    actionpack (4.2.7) lib/action_dispatch/middleware/ssl.rb:24:in `call' 
    railties (4.2.7) lib/rails/engine.rb:518:in `call' 
    railties (4.2.7) lib/rails/application.rb:165:in `call' 
    /usr/lib/ruby/vendor_ruby/phusion_passenger/rack/thread_handler_extension.rb:97:in `process_request' 
    /usr/lib/ruby/vendor_ruby/phusion_passenger/request_handler/thread_handler.rb:160:in `accept_and_process_next_request' 
    /usr/lib/ruby/vendor_ruby/phusion_passenger/request_handler/thread_handler.rb:113:in `main_loop' 
    /usr/lib/ruby/vendor_ruby/phusion_passenger/request_handler.rb:416:in `block (3 levels) in start_threads' 
    /usr/lib/ruby/vendor_ruby/phusion_passenger/utils.rb:113:in `block in create_thread_and_abort_on_exception' 

Answer 1

나는 이것에 대해 도리안과 함께있다. ,

#이 브라우저 재 엽니 세션 쿠키를 삭제,

# 브라우저가 종료 : 당신은 원인을 찾고 있다면

나는 특히이 작은 섹션 상당히 긍정적 인 this issue report in rails github 그 안타 사실이야 요청

을 만들면 기본적 레일에 의해 (내 기억 10 페이지의 경우 기본적으로) 캐싱을 장려 turbolinks을 사용하기 때문에 이것은 특히 사실을하지 않고 캐시에서 페이지를 다시로드합니다.

잠재적으로 복제 할 수있는 다른 방법은 사용자가 DOM (따라서 쿠키/세션)을 으로로드 한 다음 브라우저 관리 도구 (예 : chrome : /)을 통해 세션이나 쿠키를 수동으로 삭제하도록하는 것입니다./설정). 또한 양식의 csrf에 대해 숨겨진 태그를 가지므로 세션 쿠키는 숨기지 않으므로이 오류를 재현해야합니다. 둘 다 필요합니다.

Answer 2

;-)

다음

일부 로그가 ... 무엇인지 설명하지 마십시오 :

당신 ApplicationController에서

(또는 당신에 대해 우려하고있는 컨트롤러) 추가 :

protect_from_forgery with: :null_session 

정말 걱정이된다면, 예를 들어 Bugsnag에 오류로 기록하면 거기에서 요청을 검토하고 그 이유를 이해할 수 있습니다.