1

Every form on my home page is showing a different authenticity token. The CSRF meta tag shows yet another authenticity token.

Shouldn't they all be the same?

I created a new Rails 4 project and all the tokens matched.

Nick Urban
  • 3,568
  • 2
  • 22
  • 36

1 Answers1

0

I believe this was caused by fragment caching. If you're caching forms, the token will be cached along with the rest of the content. Two strategies for addressing this are:

  1. Set the hidden field authenticity tokens from the one in the header using Javascript. This has the disadvantage that it requires JavaScript.
  2. Create a new cache method that does a search-and-replace on the fetched fragment before rendering it, to replace the authenticity token with the current one. This has the disadvantage of being more complicated and adding overhead to your page rendering time.
Nick Urban
  • 3,568
  • 2
  • 22
  • 36