In some situations a new session was created because the user was logging in/out. Could I copy the old CSRF-token into the new session, or would there be any security leak?
In other cases the user was not logging in/out and didn't get a new session. Maybe the page was cached in the browser, so I added in my layout <META HTTP-EQUIV="CACHE-CONTROL" CONTENT="NO-CACHE"> now. -- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To unsubscribe from this group and stop receiving emails from it, send an email to rubyonrails-talk+unsubscr...@googlegroups.com. To post to this group, send email to rubyonrails-talk@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/rubyonrails-talk/9aa259c5-bcb4-4ca7-88d3-5ed7623674df%40googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out.