I am not sure i completely understand how Ruby on Rails handles CSRF protection.
My understanding was that a token is generated and embedded in the HTML markup as a meta tag, and at the same time encrypted in the session cookie. When performing a POST request, both the value of the tag and the cookie are sent to the server, which will decrypt the cookie and compare the CSRF tokens. In case of a mismatch the CSRF protection will reject the request.
However, i am unsure i understand how that works when having multiple browser windows open.
Consider the following scenario: i open two different pages of my application in two separate tabs. They have two different CSRF tokens and the session cookies differ from each other. When opening the second tab, the session cookie set with the first tab gets overwritten. I would have expected that a POST request in the first tab would fail, as the session cookie now contains the encrypted CSRF token value of the second tab.
Instead, the request goes through normally, no error is raised by the application. So where am I misunderstanding how the CSRF protection of Rails works?
