Upgrade to 2.0.2: InvalidAuthenticityToken error on 1st POST

All,

I’ve upgraded to 2.0.2, and I can’t get my login screen (the first POST
request in the application) to work.

When I post this form, I see the “InvalidAuthenticityToken” error.

I have

protect_from_forgery :secret => ‘my_secret’

set in application.rb

and I am using an active_record session store based on this line in
environment.rb:

config.action_controller.session_store = :active_record_store

My login_form is generated using form_for(). However, I am using
text_field_tag and password_field_tag to generate the form fields inside
of this form, so the form is not truly bound to an object like most
Rails forms.

I can see that my login form is posting the hidden authenticity_token.
And I can also see that the value of the “autheticity_token” parameter
is definitely not the same secret as “my_secret” specified in the call
to protect_from_forgery. So the error makes sense in that respect.

I was under the impression that the protect_from_forgery call would
embed the secret provided into the forms generated by Rails? Is that
the correct understanding?

Is there something else that I need to be doing in order to make the
protect_from_forgery feature work?

Thanks,
Wes

Wes G. wrote:

All,

I’ve upgraded to 2.0.2, and I can’t get my login screen (the first POST
request in the application) to work.

When I post this form, I see the “InvalidAuthenticityToken” error.

I have

protect_from_forgery :secret => ‘my_secret’

set in application.rb

and I am using an active_record session store based on this line in
environment.rb:

Is there something else that I need to be doing in order to make the
protect_from_forgery feature work?

Thanks,
Wes

check controllers/application.rb

class ApplicationController < ActionController::Base
helper :all # include all helpers, all the time

See ActionController::RequestForgeryProtection for details

Uncomment the :secret if you’re not using the cookie session store

protect_from_forgery # :secret => ‘3218a694a55a785a0cbedf86a388f8bf’
end

Note the remarks about not using the cookie session store.

James,

I had the secret uncommented and saw the behavior that I described.

Wes

On Wed, Mar 19, 2008 at 10:23 AM, James B.
[email protected] wrote:

Thanks,
Wes

You need to be sending the token with each form post. The form_tag
block method should add it for you. Also, your sessions need to be
working. You’ll know it’s good if neither your session id or form
auth token change on each refresh. You can check this looking at the
development log and the source of the form (the auth token should be
in a hidden field).

http://rails.rubyonrails.org/classes/ActionController/RequestForgeryProtection.html#M000296


Rick O.
http://lighthouseapp.com
http://weblog.techno-weenie.net
http://mephistoblog.com

Rick,

Thanks. As it turns out, my sessions weren’t working for this other
reason (http://www.ruby-forum.com/topic/146066) that has me digging
around in the ActiveRecord transactions code
(http://www.ruby-forum.com/topic/146569).

Once I get my sessions working, I will give it another shot.

Wes

could you try to include prototype in your layout? It’s work for me :slight_smile:

On 20 mar, 01:48, “Rick O.” [email protected] wrote:

request in the application) to work.
environment.rb:
auth token change on each refresh. You can check this looking at the
development log and the source of the form (the auth token should be
in a hidden field).

http://rails.rubyonrails.org/classes/ActionController/RequestForgeryP


Rick O.http://lighthouseapp.comhttp://weblog.techno-weenie.nethttp://mephistoblog.com

I’m using restful_authentication plugin and I found that if you delete
the cookies before submitting in the login form and then you log in,
you get the exception: “ActionController::InvalidAuthenticityToken in
SessionsController#create”.

Any idea to fix this?

Thanks!

I’m using restful_authentication plugin and I found that if you delete
the cookies before submitting in the login form and then you log in,
you get the exception: “ActionController::InvalidAuthenticityToken in
SessionsController#create”.

Any idea to fix this?

Thanks!

  1. Don’t clear your cookies when you are on the login screen.
    OR
  2. Don’t use the default cookie session store. Rails by default uses
    cookies to store the sessions so when you essentially clear your cookies
    while you are the login screen it clears all the information about the
    session and then thinks its a forgery attempt.

This forum is not affiliated to the Ruby language, Ruby on Rails framework, nor any Ruby applications discussed here.

| Privacy Policy | Terms of Service | Remote Ruby Jobs