protect_from_forgery vs. Firefox

Question

I've recently switched from storing session data in a cookie to storing it in the database.

Now every POST request causes an ActionController::InvalidAuthenticityToken error. It only happens in Firefox, and only on my home machine (I tried it out at work today in the same version of FF and everything was fine). This leads me to believe that it's something do do with the cookie I deleted yesterday...

Here's the relevant part of environment.rb:

# Your secret key for verifying cookie session data integrity.
# If you change this key, all old sessions will become invalid!
# Make sure the secret is at least 30 characters and all random, 
# no regular words or you'll be exposed to dictionary attacks.
config.action_controller.session = {
:session_key => '_basillslam_session',
:secret      => '373ee5b69a4a31d3318485fs368c41fac6b797a1f5c35693b49bd34e8a96291b92dd577bd49de7aeea56c9ffa1af2d8386bafe857220cafacfa0028f01be357d78'
}

# Use the database for sessions instead of the cookie-based default,
# which shouldn't be used to store highly confidential information
# (create the session table with 'rake db:sessions:create')
config.action_controller.session_store = :active_record_store

In application.rb:

protect_from_forgery :secret => 'f1d54db45b47ec94a6a54b1e744fafa6'

Here's the part of the full trace where the error is thrown:

C:/INSTAN~1/ruby/lib/ruby/gems/1.8/gems/actionpack-2.0.2/lib/action_controller/request_forgery_protection.rb:79:in `verify_authenticity_token'
C:/INSTAN~1/ruby/lib/ruby/gems/1.8/gems/actionpack-2.0.2/lib/action_controller/filters.rb:469:in `send!'
C:/INSTAN~1/ruby/lib/ruby/gems/1.8/gems/actionpack-2.0.2/lib/action_controller/filters.rb:469:in `call'
C:/INSTAN~1/ruby/lib/ruby/gems/1.8/gems/actionpack-2.0.2/lib/action_controller/filters.rb:441:in `run'
C:/INSTAN~1/ruby/lib/ruby/gems/1.8/gems/actionpack-2.0.2/lib/action_controller/filters.rb:716:in `run_before_filters'
C:/INSTAN~1/ruby/lib/ruby/gems/1.8/gems/actionpack-2.0.2/lib/action_controller/filters.rb:695:in `call_filters'
C:/INSTAN~1/ruby/lib/ruby/gems/1.8/gems/actionpack-2.0.2/lib/action_controller/filters.rb:689:in `perform_action_without_benchmark'
C:/INSTAN~1/ruby/lib/ruby/gems/1.8/gems/actionpack-2.0.2/lib/action_controller/benchmarking.rb:68:in `perform_action_without_rescue'
C:/INSTAN~1/ruby/lib/ruby/1.8/benchmark.rb:293:in `measure'
C:/INSTAN~1/ruby/lib/ruby/gems/1.8/gems/actionpack-2.0.2/lib/action_controller/benchmarking.rb:68:in `perform_action_without_rescue'
C:/INSTAN~1/ruby/lib/ruby/gems/1.8/gems/actionpack-2.0.2/lib/action_controller/rescue.rb:199:in `perform_action_without_caching'
C:/INSTAN~1/ruby/lib/ruby/gems/1.8/gems/actionpack-2.0.2/lib/action_controller/caching.rb:678:in `perform_action'
C:/INSTAN~1/ruby/lib/ruby/gems/1.8/gems/activerecord-2.0.2/lib/active_record/connection_adapters/abstract/query_cache.rb:33:in `cache'
C:/INSTAN~1/ruby/lib/ruby/gems/1.8/gems/activerecord-2.0.2/lib/active_record/query_cache.rb:8:in `cache'
[etc. ... ]

Has anybody experienced this before? Or does anybody know why this might be happening?

Answer 1

The exact same thing happened to me when I switched one of my sites. Delete the Rails session cookie for that site in your home Firefox Browser.

It only happens if you had a pre-existing session that used the cookie store. So, hopefully, only you and your browser will ever see the issue. After you've deleted the cookie, you'll never see the error again.

With the session in the database and only a random key to map to that session in the browsers cookies, the session protection magic is no longer necessary.

Answer 2

Thanks to Otto, I now know the reason why this happens. Although, I was able get around the problem by writing <%= token_tag %> within the form which is being POSTed. The token_tag puts a hidden field containing the authenticity token in the form and hence the ActionController::InvalidAuthenticityToken error vanishes.