Rails CSRF Tokens - Do they expire?

Question

I\'ve noticed that if you post with an invalid CSRF token, rails/devise automatically signs you out.

I have an application that doesn\'t refresh the page, and users

Answer 1

CSRF protection in Rails works by storing a random value as a field in the form being submitted, and also in the user session. If the values don't match when a form is submitted, Rails rejects the form submission request.

If you're using the default cookie session store in Rails, then sessions won't expire (until the cookie does). If you're using something else (file or DB backed sessions), then yes, if those sessions expire, the form submission will fail with a CSRF error.

So if you're using cookie based sessions (the default), check the cookie expiry. If that looks OK, it's probably some other issue.