I have an application built on Rails 2. If the user opens two instances of the same application(dev, uat or any two), it logs out while the person is active. Also this behavior is inconsistent. sometimes it happens within 2 minutes of login and sometimes it happens once in half an hour.
Also a very interesting thing to notice is If I disable the validation for CSRF token, the user never gets logged out unless the session times out or the user logs out voluntarily.
--Update-- After digging more into the issue I found out that the CSRF is not the cause of this issue. The session id is getting deleted from the cookie. What could be the possible cause of the issue
So As I already told in my question that the CSRF validation is not the cause of the log out issue. So I digged deeper and saw that randomly the session_id cookie was getting deleted and that is when I try to use the application further it was obviously getting logged out.
So the fix for this was to make sure that the session_id cookie should not be allowed to be deleted. In order to do so I marked the cookie as secure. Although I was still not able to find out the root cause of this cookie deletion.
I was using the SqlSessionStore to store session info. Following is the Fix that I put:
ActionController::Dispatcher.middleware.swap(:"ActiveRecord::SessionStore",
SqlSessionStore, {:secure => true})