On Dec 30, 2007 12:54 AM, Frederick C. [email protected]
wrote:
Have you defined a secret to use for the cookies (I expect there’s a
message in your logs about it) ?
Hi,
I ran into (probably) the same error as Kathleen did tonight. I’m
using the default environment.rb, but changing the session_store to
use AR as a session_store, and I get an error:
“ActionController::InvalidAuthenticityToken in Products#new
No :secret given to the #protect_from_forgery call.”
I’ve tried to reproduce it in the simplest manner I can think of. I’m
running Rails 2.0.2 (on Leopard, if it makes any difference). Here’s
what I do to reproduce this error:
rails newapp
cd newapp/
script/scaffold some_model name:string
rake db:sessions:create
vim config/environment.rb
(uncommenting config.action_controller.session_store =
:active_record_store, nothing else. :secret is set a few lines above)
rake db:migrate
script/server
Everything seems just fine up till now. No errors on the rake tasks or
anything.
I clean out all cookies from localhost in Safari, and then I get visit
http://localhost:3000/some_model/new and get the error. (For some
reason, http://localhost:3000/some_models does not produce the error.)
I’ve tried the above, using mysql as my database instead of sqlite
(because I’m more comfortable on the mysql prompt), and had a look.
Everything is there. The sessions table does indeed have a row after
I’ve visited the url. The browser has a new cookie set from localhost.
But still I get the ActionController::InvalidAuthenticityToken error.
Have I done something weird? Here’s an excerpt from my
config/environment.rb:
Your secret key for verifying cookie session data integrity.
If you change this key, all old sessions will become invalid!
Make sure the secret is at least 30 characters and all random,
no regular words or you’ll be exposed to dictionary attacks.
config.action_controller.session = {
:session_key => ‘_testapp_session’,
:secret =>
‘0a3cae420e2e43d216f641e7c84958c357eec74593bee85cb3f9a46bb9fc7f8ebe52d9f8ac5d3d429a678ce91f46336fb04e91a4f9054c164f8f258932763e59’
}
Use the database for sessions instead of the cookie-based default,
which shouldn’t be used to store highly confidential information
(create the session table with ‘rake db:sessions:create’)
config.action_controller.session_store = :active_record_store
If it’s a bug in Rails 2.0.2, I hope this helps to confirm it.