ActionController::InvalidAuthenticityToken in SessionsController#create error

Question

Hi,

I get this error in Rails 2.3.9 but not in 2.3.8. I didn't changed any code. Did I missed anything?

ActionController::InvalidAuthenticityToken in SessionsController#create ActionController::InvalidAuthenticityToken

Thanks :)

Here are the added details.

Request

Parameters:

{"commit"=>"Login",
 "authenticity_token"=>"A9A4+sCsA/81FFoXJEUNziQYhgQ38pceGN2i7MUQbQY=",
 "password"=>"r3dp0rt"}

Here's the code in the application controller

class ApplicationController < ActionController::Base
  helper :all # include all helpers, all the time
  protect_from_forgery :secret => "r3dp0rtP@$$", :digest => "MD5" # See ActionController::RequestForgeryProtection for details

Here's the code from my session create controller

  def create
    session[:password] = params[:password]
    flash[:notice] = "Sucessfully logged in"
    redirect_to "/login"
  end

and lastly here's the code from my simple login view

<div id="placeholder">
  <% form_tag :action => "create" do %>
    <p>
    <%= label_tag "This will enable administrative features for the site." %><br>
    <%= password_field_tag "password" %>
    </p>
    <br>
    <p>
    <%= submit_tag "Login" %>
    </p>
  <% end %>
</div>

Answer 1

Have you tried clearing the browsing data of your browser? Most likely it's still sending the old AuthenticityToken.

Answer 2

Hi,

There's a bug in the 2.3.9. It prevents to set the session ID when using an activerecord or memcache session store. See this rails ticket. You can fix it by using the Mislav's patch at http://gist.github.com/570149. You'll have to create and paste the code in config/initializers/sessions_patch.rb. Or you can run the following command in your project root path:

wget http://gist.github.com/570149.txt -O config/initializers/sessions_patch.rb

Finally don't forget to restart your server (and a maybe issue a rake db:sessions:clear).