The default Rails 5 behavior is throwing an exception when a CSRF violation occurs. Since we override +handle_unverified_request+ for detecting API requests, the super behavior would be to override the current session with a null session object This results in no session cookie being created for the anonymous user and subsequent POST requests being impossible. For example, this will happen when you invalidated your cookies while on the login page and try to log in. You will remain in a 422 loop because there is no valid CSRF token. If we instead use `reset_session` only, a new session is generated, the user is logged out and reset, but the following request may issue new data into the session. https://community.openproject.com/wp/28072pull/6459/head
parent
d5f6a279d1
commit
d980ec8d30
Loading…
Reference in new issue