recover from bad CSRF tokens without requiring a hard refresh of the browser

2025-02-25 18:55:32 -06:00 · 2013-08-27 15:56:12 +10:00
parent bec463564f
commit c4a0152dc6
5 changed files with 16 additions and 9 deletions
--- a/app/controllers/application_controller.rb
+++ b/app/controllers/application_controller.rb
@@ -22,7 +22,7 @@ class ApplicationController < ActionController::Base
    unless is_api?
      super
      clear_current_user
-      raise Discourse::CSRF
+      render text: "['BAD CSRF']", status: 403
    end
  end

--- a/app/controllers/session_controller.rb
+++ b/app/controllers/session_controller.rb
@@ -67,7 +67,7 @@ class SessionController < ApplicationController
  end

  def destroy
-    session[:current_user_id] = nil
+    reset_session
    cookies[:_t] = nil
    render nothing: true
  end
--- a/app/controllers/users/omniauth_callbacks_controller.rb
+++ b/app/controllers/users/omniauth_callbacks_controller.rb
@@ -83,6 +83,8 @@ class Users::OmniauthCallbacksController < ApplicationController
    # log on any account that is active with forum access
    if Guardian.new(user).can_access_forum? && user.active
      log_on_user(user)
+      # don't carry around old auth info, perhaps move elsewhere
+      session[:authentication] = nil
      @data.authenticated = true
    else
      if SiteSetting.invite_only?