How can I check in Rails controller if InvalidAuthenticityToken error was raised from session expiry?

264 views Asked by At

I would like to be able to rescue this error and do stuff in some specific controllers, only if it was raised because of session expiry (set to 24h in session_store.rb). Is there a way to know the difference between session expiry and an actual CSRF attack/missing authenticity token when raising this error?

I am currently using this configuration :

Rails.application.config.session_store :redis_store, redis_server: redis_url, expire_after: 24.hours

I am trying to understand the specifics of how the Rails server knows that the authenticity_token should be considered invalid.

I guess the information I miss is : where is the backend logic of comparison between

  • the date of first response + cookie creation
  • the date after expiry time (24h in my case) that checks that the cookie/session/token is not valid anymore ? Is that on Rails side ? On Redis side ? In the browser ?

I hope I could make my question clear enough ! Thanks :)

0

There are 0 answers