I’ve upgraded to 2.0.2, and I can’t get my login screen (the first POST
request in the application) to work.
When I post this form, I see the “InvalidAuthenticityToken” error.
protect_from_forgery :secret => ‘my_secret’
set in application.rb
and I am using an active_record session store based on this line in
config.action_controller.session_store = :active_record_store
My login_form is generated using form_for(). However, I am using
text_field_tag and password_field_tag to generate the form fields inside
of this form, so the form is not truly bound to an object like most
I can see that my login form is posting the hidden authenticity_token.
And I can also see that the value of the “autheticity_token” parameter
is definitely not the same secret as “my_secret” specified in the call
to protect_from_forgery. So the error makes sense in that respect.
I was under the impression that the protect_from_forgery call would
embed the secret provided into the forms generated by Rails? Is that
the correct understanding?
Is there something else that I need to be doing in order to make the
protect_from_forgery feature work?