Forum: Ruby on Rails InvalidAuthenticityToken when using XML, why?

Announcement (2017-05-07): is now read-only since I unfortunately do not have the time to support and maintain the forum any more. Please see and for other Rails- und Ruby-related community platforms.
13d7a3ab12ec57e0d372d7115362cb91?d=identicon&s=25 comopasta Gr (comopasta)
on 2008-11-17 23:26

I'm making an app where messages can be posted only from mobile phones.
The clients that will connect to the app will NOT use a browser but the
client is developed using native language, say C++, Java, etc. Users
need to be registered to be able to post.

On the server I am using restful_authentication. Clients will use XML to
post stuff to the server.

It is simple to use HTTP Basic authentication to post messages. But I'd
like to have a real API to login once and then provide a token to the
client so the next requests are done just using the token, actually I
could even use the remember me token.

My problem is that when I try this a POST to
I get ActionController::InvalidAuthenticityToken
So I can't get into the controller to start working on the logic I need.


I also confused since the rails docs
state that "Only HTML/JavaScript requests are checked, so this will not
protect your XML API"

I'm using XML here so why is the token being checked?


Any hints appreciated.

13d7a3ab12ec57e0d372d7115362cb91?d=identicon&s=25 comopasta Gr (comopasta)
on 2008-11-19 12:08

For the sake of sharing with others in case it might help...

I had to add Content-Type: text/xml to the headers in the post request.
Doing that stopped the token error.

Now I have started doing some changes so the mobile client can login
with XML and receive a new client_auth_token. For that I have created a
new remember token for the mobile case to the user model, so I can use
the existing remember me functionality of restful_authentication as a
base. The client uses that cookie for using the API. Some changes to the
plugin are needed for this but I hope/think I'm in the right track.

This topic is locked and can not be replied to.