Warning: file_get_contents(/data/phpspider/zhask/data//catemap/2/ruby-on-rails/59.json): failed to open stream: No such file or directory in /data/phpspider/zhask/libs/function.php on line 167

Warning: Invalid argument supplied for foreach() in /data/phpspider/zhask/libs/tag.function.php on line 1116

Notice: Undefined index: in /data/phpspider/zhask/libs/function.php on line 180

Warning: array_chunk() expects parameter 1 to be array, null given in /data/phpspider/zhask/libs/function.php on line 181
Ruby on rails 生产现场自发拒绝真实性令牌的原因_Ruby On Rails_Csrf_Csrf Protection - Fatal编程技术网
Fatal编程技术网
  • ruby-on-rails/
  • Ruby on rails 生产现场自发拒绝真实性令牌的原因

Ruby on rails 生产现场自发拒绝真实性令牌的原因

ruby-on-rails

Ruby on rails 生产现场自发拒绝真实性令牌的原因,ruby-on-rails,csrf,csrf-protection,Ruby On Rails,Csrf,Csrf Protection,我的Rails应用程序不时抛出ActionController::InvalidAuthenticationToken。大约一个月会自发发生一次。由于我认为没有其他网站尝试CSRF攻击,我开始思考这一罕见事件。到目前为止,我的结论是: 随机机器人 人们等待发送表单的时间太长,以致表单在服务器上过期 这种假阳性拒绝还有其他原因吗 请不要解释什么是CSRF;-) 这里有一些日志 F, [2016-12-06T16:03:59.050673 #15136] FATAL -- : ActionCo

我的Rails应用程序不时抛出ActionController::InvalidAuthenticationToken。大约一个月会自发发生一次。由于我认为没有其他网站尝试CSRF攻击,我开始思考这一罕见事件。到目前为止,我的结论是:

  • 随机机器人
  • 人们等待发送表单的时间太长,以致表单在服务器上过期
这种假阳性拒绝还有其他原因吗

请不要解释什么是CSRF;-)

这里有一些日志

F, [2016-12-06T16:03:59.050673 #15136] FATAL -- : 
ActionController::InvalidAuthenticityToken (ActionController::InvalidAuthenticityToken):
  actionpack (4.2.7) lib/action_controller/metal/request_forgery_protection.rb:181:in `handle_unverified_request'
  actionpack (4.2.7) lib/action_controller/metal/request_forgery_protection.rb:209:in `handle_unverified_request'
  devise (4.2.0) lib/devise/controllers/helpers.rb:253:in `handle_unverified_request'
  actionpack (4.2.7) lib/action_controller/metal/request_forgery_protection.rb:204:in `verify_authenticity_token'
  activesupport (4.2.7) lib/active_support/callbacks.rb:432:in `block in make_lambda'
  activesupport (4.2.7) lib/active_support/callbacks.rb:164:in `block in halting'
  activesupport (4.2.7) lib/active_support/callbacks.rb:504:in `block in call'
  activesupport (4.2.7) lib/active_support/callbacks.rb:504:in `each'
  activesupport (4.2.7) lib/active_support/callbacks.rb:504:in `call'
  activesupport (4.2.7) lib/active_support/callbacks.rb:92:in `__run_callbacks__'
  activesupport (4.2.7) lib/active_support/callbacks.rb:778:in `_run_process_action_callbacks'
  activesupport (4.2.7) lib/active_support/callbacks.rb:81:in `run_callbacks'
  actionpack (4.2.7) lib/abstract_controller/callbacks.rb:19:in `process_action'
  actionpack (4.2.7) lib/action_controller/metal/rescue.rb:29:in `process_action'
  actionpack (4.2.7) lib/action_controller/metal/instrumentation.rb:32:in `block in process_action'
  activesupport (4.2.7) lib/active_support/notifications.rb:164:in `block in instrument'
  activesupport (4.2.7) lib/active_support/notifications/instrumenter.rb:20:in `instrument'
  activesupport (4.2.7) lib/active_support/notifications.rb:164:in `instrument'
  actionpack (4.2.7) lib/action_controller/metal/instrumentation.rb:30:in `process_action'
  actionpack (4.2.7) lib/action_controller/metal/params_wrapper.rb:250:in `process_action'
  actionpack (4.2.7) lib/abstract_controller/base.rb:137:in `process'
  actionview (4.2.7) lib/action_view/rendering.rb:30:in `process'
  actionpack (4.2.7) lib/action_controller/metal.rb:196:in `dispatch'
  actionpack (4.2.7) lib/action_controller/metal/rack_delegation.rb:13:in `dispatch'
  actionpack (4.2.7) lib/action_controller/metal.rb:237:in `block in action'
  actionpack (4.2.7) lib/action_dispatch/routing/route_set.rb:74:in `dispatch'
  actionpack (4.2.7) lib/action_dispatch/routing/route_set.rb:43:in `serve'
  actionpack (4.2.7) lib/action_dispatch/routing/mapper.rb:49:in `serve'
  actionpack (4.2.7) lib/action_dispatch/journey/router.rb:43:in `block in serve'
  actionpack (4.2.7) lib/action_dispatch/journey/router.rb:30:in `each'
  actionpack (4.2.7) lib/action_dispatch/journey/router.rb:30:in `serve'
  actionpack (4.2.7) lib/action_dispatch/routing/route_set.rb:817:in `call'
  turnout (2.3.1) lib/rack/turnout.rb:25:in `call'
  omniauth (1.3.1) lib/omniauth/strategy.rb:186:in `call!'
  omniauth (1.3.1) lib/omniauth/strategy.rb:164:in `call'
  omniauth (1.3.1) lib/omniauth/strategy.rb:186:in `call!'
  omniauth (1.3.1) lib/omniauth/strategy.rb:164:in `call'
  rack-attack (4.4.1) lib/rack/attack.rb:107:in `call'
  exception_notification (4.2.1) lib/exception_notification/rack.rb:32:in `call'
  warden (1.2.6) lib/warden/manager.rb:35:in `block in call'
  warden (1.2.6) lib/warden/manager.rb:34:in `catch'
  warden (1.2.6) lib/warden/manager.rb:34:in `call'
  rack (1.6.4) lib/rack/etag.rb:24:in `call'
  rack (1.6.4) lib/rack/conditionalget.rb:38:in `call'
  rack (1.6.4) lib/rack/head.rb:13:in `call'
  actionpack (4.2.7) lib/action_dispatch/middleware/params_parser.rb:27:in `call'
  actionpack (4.2.7) lib/action_dispatch/middleware/flash.rb:260:in `call'
  rack (1.6.4) lib/rack/session/abstract/id.rb:225:in `context'
  rack (1.6.4) lib/rack/session/abstract/id.rb:220:in `call'
  actionpack (4.2.7) lib/action_dispatch/middleware/cookies.rb:560:in `call'
  actionpack (4.2.7) lib/action_dispatch/middleware/callbacks.rb:29:in `block in call'
  activesupport (4.2.7) lib/active_support/callbacks.rb:88:in `__run_callbacks__'
  activesupport (4.2.7) lib/active_support/callbacks.rb:778:in `_run_call_callbacks'
  activesupport (4.2.7) lib/active_support/callbacks.rb:81:in `run_callbacks'
  actionpack (4.2.7) lib/action_dispatch/middleware/callbacks.rb:27:in `call'
  actionpack (4.2.7) lib/action_dispatch/middleware/remote_ip.rb:78:in `call'
  actionpack (4.2.7) lib/action_dispatch/middleware/debug_exceptions.rb:17:in `call'
  actionpack (4.2.7) lib/action_dispatch/middleware/show_exceptions.rb:30:in `call'
  railties (4.2.7) lib/rails/rack/logger.rb:38:in `call_app'
  railties (4.2.7) lib/rails/rack/logger.rb:20:in `block in call'
  activesupport (4.2.7) lib/active_support/tagged_logging.rb:68:in `block in tagged'
  activesupport (4.2.7) lib/active_support/tagged_logging.rb:26:in `tagged'
  activesupport (4.2.7) lib/active_support/tagged_logging.rb:68:in `tagged'
  railties (4.2.7) lib/rails/rack/logger.rb:20:in `call'
  ahoy_matey (1.4.2) lib/ahoy/engine.rb:22:in `call_with_quiet_ahoy'
  request_store (1.3.1) lib/request_store/middleware.rb:9:in `call'
  actionpack (4.2.7) lib/action_dispatch/middleware/request_id.rb:21:in `call'
  rack (1.6.4) lib/rack/methodoverride.rb:22:in `call'
  rack (1.6.4) lib/rack/runtime.rb:18:in `call'
  activesupport (4.2.7) lib/active_support/cache/strategy/local_cache_middleware.rb:28:in `call'
  rack (1.6.4) lib/rack/sendfile.rb:113:in `call'
  actionpack (4.2.7) lib/action_dispatch/middleware/ssl.rb:24:in `call'
  railties (4.2.7) lib/rails/engine.rb:518:in `call'
  railties (4.2.7) lib/rails/application.rb:165:in `call'
  /usr/lib/ruby/vendor_ruby/phusion_passenger/rack/thread_handler_extension.rb:97:in `process_request'
  /usr/lib/ruby/vendor_ruby/phusion_passenger/request_handler/thread_handler.rb:160:in `accept_and_process_next_request'
  /usr/lib/ruby/vendor_ruby/phusion_passenger/request_handler/thread_handler.rb:113:in `main_loop'
  /usr/lib/ruby/vendor_ruby/phusion_passenger/request_handler.rb:416:in `block (3 levels) in start_threads'
  /usr/lib/ruby/vendor_ruby/phusion_passenger/utils.rb:113:in `block in create_thread_and_abort_on_exception'
您可能应该在生产环境中为会话设置空值,而不是引发异常:

ApplicationController
(或您关心的任何控制器)中添加:

如果你真的担心它,我的建议是登录到错误到Bugsnag,例如,在那里你可以查看请求并理解它发生的原因。

关于解决方案,我支持Dorian

如果你在寻找我认为正确的原因,尤其是这一小部分:

#浏览器退出,清除会话cookie

#浏览器重新打开,从缓存中重新加载页面,而无需执行请求

这一点尤其正确,因为Rails使用了
turbolinks
,这鼓励了缓存(如果我记得的话,默认为10页)

另一种可能被复制的方法是让用户加载您的DOM(从而加载您的cookie/会话),然后让他们通过浏览器管理工具(例如:chrome://settings). 这也会重现错误,因为表单中有csrf的隐藏标记,但没有会话cookie。。。这两者都需要。

原因有很多。一个问题在这个问题中得到了解释,与@slowjack2k相关的问题似乎是一个严重的问题。但我对此的观察非常罕见。所以我想这更多的是一个时间和缓存的问题,正如这里所描述的,我很好奇,你发现了吗?我也看到了一些偶尔出现的错误,我正在进一步挖掘。不,对不起,我没有时间进行更详细的调查,在生产中似乎也没有问题。到目前为止,还没有人抱怨过这一点。您的服务器是否有日志可以提供一些关于发生什么/何时发生的细节/上下文?谢谢,我认为可能是这样。@MarkusGraf我很想知道这是否真的是问题所在。您对测试该问题有何反馈? 
protect_from_forgery with: :null_session