I would like to be able to rescue this error and do stuff in some specific controllers, only if it was raised because of session expiry (set to 24h in session_store.rb
).
Is there a way to know the difference between session expiry and an actual CSRF attack/missing authenticity token when raising this error?
I am currently using this configuration :
Rails.application.config.session_store :redis_store, redis_server: redis_url, expire_after: 24.hours
I am trying to understand the specifics of how the Rails server knows that the authenticity_token should be considered invalid.
I guess the information I miss is : where is the backend logic of comparison between
- the date of first response + cookie creation
- the date after expiry time (24h in my case) that checks that the cookie/session/token is not valid anymore ? Is that on Rails side ? On Redis side ? In the browser ?
I hope I could make my question clear enough ! Thanks :)