tags:

views:

185

answers:

4
Q: 

ActionController::InvalidAuthenticityToken

Today my rails application on remote server suddenly stop working. All errors are in the form

Processing UsersController#update (for **ip** at 2010-07-29 10:52:27) [PUT]
  Parameters: {"commit"=>"Update", "action"=>"update", "_method"=>"put", "authenticity_token"=>"ysiDvO5s7qhJQrnlSR2+f8jF1gxdB7T9I2ydxpRlSSk=", **more parameters**}

ActionController::InvalidAuthenticityToken (ActionController::InvalidAuthenticityToken):

This happens for every non-get request and, as you see, authenticity_token is there.

Have you seen anything like that? Thanks!

PS On the web I've found a suggestion to remove 'tmp' folder, didn't help.

A: 

The authenticity token is a random value generated in your view to prove a request is submitted from a form on your site, not somewhere else. This protects against CSRF attacks:

http://en.wikipedia.org/wiki/Cross-site_request_forgery

Check to see who that client/IP is, it looks like they are using your site without loading your views.

If you need to debug further, this question is a good place to start: http://stackoverflow.com/questions/941594/understand-rails-authenticity-token

Edited to explain: It means they are calling the action to process your form submit without ever rendering your form on your website. This could be malicious (say posting spam comments) or it could indicate a customer trying to use your web service API directly. You're the only one who can answer that by the nature of your product and analyzing your requests.

Winfield  2010-07-29 16:14:30
Thanks, but I already know what authenticity token is. _Check to see who that client/IP is, it looks like they are using your site without loading your views._ Sorry, what "without loading views" means?
Nikita Rybak  2010-07-29 16:20:06
I means that somebody (probably a spammer) could be submitting data to your form without going through your application's user interface. It's possible to do this using a command line program such as curl, for example.
John Topley  2010-07-29 16:32:33
John has it exactly right. It means they are calling the action to process your form submit without ever rendering your form on your website. This could be malicious (say posting spam comments) or it could indicate a customer trying to use your web service API directly. You're the only one who can answer that by the nature of your product and analyzing your requests.
Winfield  2010-07-29 16:35:13
Ok, I misunderstood Winfield's comment. I thought the app wasn't somehow configured to 'load my views' when I use browser.
Nikita Rybak  2010-07-29 16:36:52
I also had another thought, these requests include a token, but it's not valid. This could be caused by caching the page rendering your form or something else that causes a stale version of the form potentially.
Winfield  2010-07-29 16:43:30
A: 

Well, I've found an answer: rails sucks.

Problem solved by downgrading to 2.3.5 from 2.3.8. (as well as infamous 'You are being redirected.' issue)

Nikita Rybak  2010-07-29 16:34:49
will accept to mark question resolved as soon as I can (in two days)
Nikita Rybak  2010-07-29 16:38:36
“Rails sucks” is not really an answer though, is it? It's an opinion.
John Topley  2010-07-29 16:52:09
A: 

I had the same issue but with pages which were page cached. Pages got buffered with a stale authenticity token and all actions using the methods post/put/delete where recognized as forgery attempts. Error (422 Unprocessable Entity) was returned to the user.

The solution:
Add:

 skip_before_filter :verify_authenticity_token

On pages which do caching.
For example:

 caches_page :index, :show  
 skip_before_filter :verify_authenticity_token, :only => [:index, :show]

Reference: http://api.rubyonrails.org/classes/ActionController/RequestForgeryProtection/ClassMethods.html

Jeznet  2010-08-29 10:44:33
That's not likely the case, I didn't know of _caches_page_ before your post. But I'll check _caches_page_ out, thanks.
Nikita Rybak  2010-08-30 18:01:33
A: 

I am using rails 2.3.8 , still have the same problem. Jeznet's answer is good, but question is that I need change every Controller. So it seems that is not best solution.

Jason  2010-08-30 15:23:22
I think you can turn it off globally in _application_controller_. It's not that big security issue, but I wanted to get it right anyway.
Nikita Rybak  2010-08-30 18:06:25
Yes. Change it on the environment.rb is fine. But i wanna get it right as well. how did you do?
Jason  2010-08-31 07:24:14

related questions

Is there a rake task for backing up the data in your database?
How to represent cross-model information in MVC?
WYSIWYG editor gem for Rails?
Best Solution For Authentication in Ruby on Rails
Acts-as-readable Rails plugin Issue
Associating source and search keywords with account creation
Any tips on getting Rails to run with an Access back-end?
Being as DRY as possible in a Ruby on Rails App
How Do You Secure database.yml?
What IDE to use for developing in Ruby on Rails on windows?
Is Ruby On Rails ready for the Enterprise?
OpenID authentication in Ruby on Rails
Why Doesn't My Cron Job Work Properly?
Why does sqlite3-ruby-1.2.2 not work on OS X?
Ruby mixins and calling super methods
Why all the Active Record hate?
Haml: how do I set a dymanic class value?
Learning Ruby on Rails any good for Grails?
How to sell Python to a client/boss/person with lots of cash
How do I create a new Ruby on Rails application using MySQL instead of SQLite?
Ruby On Rails with Windows Vista - Best Setup?
What is good forum software to add to an existing Rails application?
How do I fix 'Unprocessed view path found' error with ExceptionNotifier plugin in rails 2.1?
Frequent SystemExit in Ruby when making HTTP calls
Implementation of "Remember me" in a Rails application.