Interaction races between flashes, CSRF tokens and other session features, and streaming rendering

[jcoglan]

This may very well be a case of me holding it wrong, but I'm wondering if this is an overlooked case that Rails should handle gracefully, or if it's up to the user to fix.

Basically, some things like CSRF tokens and flashes live in the session, and involve mutable state. CSRF tokens are lazily generated and put in the session when you call form_authenticity_token, and the Flash object is lazily created and swept when you access the flash API, also typically during rendering.

If you're using streaming rendering (render :stream => true), this means the session is being modified after it is serialized and sent as a Set-Cookie header, if you are using the cookie store. This means you get races where flash messages persist forever, and forms cannot be submitted.

I am currently fixing them by adding the following to ApplicationController for force-generate these values before the headers are sent:

before_filter :form_authenticity_token
before_filter :flash

Should Rails handle this transparently, or is it on me to fix it, and if the latter, is there a better way of fixing it?

[senny]

/cc @tenderlove

[rails-bot]

This issue has been automatically marked as stale because it has not been commented on for at least
three months.

The resources of the Rails team are limited, and so we are asking for your help.

If you can still reproduce this error on the 4-1-stable, 4-0-stable branches or on master,
please reply with all of the information you have about it in order to keep the issue open.

Thank you for all your contributions.

[rails-bot]

This issue has been automatically closed because of inactivity.

If you can still reproduce this error on the 4-1-stable, 4-0-stable branches or on master,
please reply with all of the information you have about it in order to keep the issue open.

Thank you for all your contributions.

[jarthod]

Hi, I just started using streaming with Rails 4.2 and fell into this exact two issue (flash messages persisting forever and form not submitted because of invalid CSRF).
So I confirm this issue is still present on latest stable Rails version, I'm currently working around this the same way @jcoglan did, by running form_authenticity_token and flash before rendering.

This is low priority but a bit annoying and prevents streaming adoption.

[jarthod]

Sorry to revive this but has anything been done (or at least thought) about this issue for Rails 5 ?
Because the issue is still present in rails 4.2.

[maclover7]

Reopening.

[rafaelfranca]

Still need a way to reproduce it, so please provide it.

[maclover7]

Can you create an executable test script using one of the templates here?

[jarthod]

Sure, i'll try to do that ;)