tags:

views:

339

answers:

3
+2  Q: 

Invalid AuthenticityToken everywhere

I have a rails app that I just deployed which is generating Invalid AuthenticityToken errors anywhere a form is submitted. The app uses subdomains as account names and will also eventually allow for a custom domain to be entered. I have an entry in production.rb to allow for cross-domain session handling.

The problem is that you can't login / or submit any form because everything raises an Invalid AuthenticityToken error. The issue looks similar but not the same as http://stackoverflow.com/questions/1201901/rails-invalid-authenticity-token-after-deploy plus I'm not using mongrel. I've tried clearing cookies in the browser, and restarting passenger but no luck.

Anyone have any ideas?

The server is running nginx + passenger 2.3.11, and Rails 2.3.5.

#production.rb
config.action_controller.session[:domain] = '.domain.com'


#environment.rb
config.action_controller.session = {
   :session_key => '_app_session',
   :secret      => '.... nums and chars .....'
 }

Update: I just noticed that the session cookie is not getting set in my production environment. Thus I'm guessing the session can't be tied to the CSRF value. I'm wondering if the cookie not being set has to do with my dynamic subdomains?

A: 

TRY THIS 

<%= javascript_tag "window._token = '#{form_authenticity_token}'" %>

OR REF:- http://api.rubyonrails.org/classes/ActionController/RequestForgeryProtection/ClassMethods.html

Salil  2010-04-07 14:15:59
No dice. the form_authenticity_token JS variable matches what's getting output in the form, which I can see is getting submitted to the server when the params are dumped as part of the error. It seems the token being submitted is not what the server has on file.
bwizzy  2010-04-07 14:34:01
A: 

Try adding the following to your ApplicationController:

protect_from_forgery :only => [:create, :delete, :update]

Solution from http://www.ruby-forum.com/topic/136093. Be aware that it may not be the most secure solution.

Chris  2010-04-07 15:31:08
won't work because the SessionsController#create (and other form submissions) is what's throwing the error. Plus I'd rather not disable csrf protection
bwizzy  2010-04-07 16:08:20
+1  A: 

Make sure your server is configured to have the correct domain name. I've seen this when the cookie for the authenticity token was being set for a different domain than the server was actually on. Clients wouldn't realize they needed to send the cookie.

Another possibility is that your production session store is broken in some way. If Rails can't find a user's session it will fail with InvalidAuthenticityToken.

edebill  2010-04-07 20:11:25
I have wildcards setup in my nginx vhost file but I added a specific route for one of my subdomains and still didn't fix it.
bwizzy  2010-04-07 22:37:43

related questions

Best place to get Ruby on Vista up and running as dev environment
How can I encode xml files to xfdl (base64-gzip)?
What is the best way to learn Ruby?
Learning Ruby on Rails any good for Grails?
How to sell Python to a client/boss/person with lots of cash
How do I create a Class using the Singleton Design Pattern in Ruby?
How do I update Ruby Gems from behind a Proxy (ISA-NTLM)
Why Should I Learn Ruby?
How do I create a new Ruby on Rails application using MySQL instead of SQLite?
How do I rake tasks within a ruby script?
Ruby On Rails with Windows Vista - Best Setup?
Mapping values from two array in Ruby
Reverse DNS in Ruby?
Text Editor For Linux (Besides Vi)?
What is good forum software to add to an existing Rails application?
Calling Bash Commands From Ruby
How can I modify .xfdl files? (Update #1)
How do I use (n)curses in Ruby?
Open Source Ruby Projects
How do I fix 'Unprocessed view path found' error with ExceptionNotifier plugin in rails 2.1?
When to use lambda, when to use Proc.new?
Frequent SystemExit in Ruby when making HTTP calls
Implementation of "Remember me" in a Rails application.
.NET Migrations Engine
How do I add existing comments to RDoc in Ruby?