Devise scrubbing Sessions on Post?

Question

I have setup devise and omniauth based authentication and it has been working fine for the most part. After login, I have the current_user set and using before_filter :authenticate_user! It works mostly as expected. The session sticks even when I (manually) go to other sites. When I come back to my site, I am still logged in.

I ran into issues while trying to integrate with a payment gateway provider.

I do a form post to the payment gateway which does its thing and then returns the user back to my site by doing a form post. When the user lands on my site, the cookies are scrubbed and the authentication is lost. This means that the current_user is now nil.

The flow is something like

Order - > Login -> Confirm -> PaymentGateway -> CallBack(MySite) 
   |                 ^
   | -- loggedin --  |
    -----------------

I further investigated using Firefox's inspect and it looks like the cookies are set correctly. For example after I login the cookie is _session_id:f58b52e6c168178711ba66aa3ac9d637, When I return from the Payment Gateway the cookie (according to firefox) is _session_id:f58b52e6c168178711ba66aa3ac9d637 .. This would lead me to believe that I would stay authenticated. However when I print current_user I get nil.

I also print the cookie in my controllers and it is correct :

In The confirm action when I print the cookies I get

Cookies #<ActionDispatch::Cookies::CookieJar:0x000001017c33d0, @set_cookies={}, @delete_cookies={}, @host="localhost", @secure=true, @closed=false, @cookies={"_session_id"=>"f58b52e6c168178711ba66aa3ac9d637"}>

In the CallBack(MySite) page if I print the cookies, I get

Cookies #<ActionDispatch::Cookies::CookieJar:0x0000012b2225f0 @set_cookies={}, @delete_cookies={"remember_user_token"=>{:path=>"/"}}, @host="localhost", @secure=true, @closed=false, @cookies={"_session_id"=>"f58b52e6c168178711ba66aa3ac9d637"}>

What am I missing here. Why is devise deliberately logging me out. And is there a way I can remain logged in ?

Edit:

I also tried rememberable ... That also does not work and scrubs the cookie.

In The confirm action when I print the cookies I get

Cookies #<ActionDispatch::Cookies::CookieJar:0x0000012b286fc8 @secret="4ccae7dce24d26dcf98220fb1e54cacf412efe1bf7dc003e1e5315abf50f5c4ep9g6i62b8a9d83cf3501564c7bd70ca7722db85a46015652c3d7fa4f156d4d0b", @set_cookies={}, @delete_cookies={}, @host="localhost", @secure=true, @closed=false, @cookies={"_session_id"=>"f63c3165f807b15e4a4e7de4a615d012", "remember_user_token"=>"BAhbB1sGaQYiIiQyYSQxMCRxVGJoVzEydjJtQ1Y4dndUeTdJMVp1--099213f62d5e317d9f83e758ac5995395e63ce7f"}>

Note that the remember_user_token is set

In the CallBack(MySite) page if I print the cookies, I get

#<ActionDispatch::Cookies::CookieJar:0x0000012b410100 @secret="4ccae7dce24d26dcf98220fb1e54cacf412efe1bf7dc003e1e5315abf50f5c4ep9g6i62b8a9d83cf3501564c7bd70ca7722db85a46015652c3d7fa4f156d4d0b", @set_cookies={}, @delete_cookies={"remember_user_token"=>{:path=>"/"}}, @host="localhost", @secure=true, @closed=false, @cookies={"_session_id"=>"f63c3165f807b15e4a4e7de4a615d012"}>

So a before filter has deleted the remember_user_token cookie, In firefox's inspect I can confirm that both cookies are sent to the site and to rails.

Either way devise is logging me out when the incoming action is a post from an external site. Is this expected behavior, Can I change it.

Answer 1

You need to disable the request from forgery protection when the external website is posting (or for that specific action), otherwise Rails' protection mechanism against CSRF attacks is going to (correctly) log you out.