Error: "ActionController::InvalidAuthenticityToken"

Hi there,

I have my first Rails app running and I regularly get the following
"logged_exception" error message:

  "ActionController::InvalidAuthenticityToken"

Has anybody an idea what might cause this problem? Could it somehow be a
"time out" error (like an "AuthenticityToken" which might expire after a
certain time, or something along those lines)?

Any idea how that error could be prevented from occurring?

The "backtrace" always starts like this:

The Authenticity Token is a value that is inserted in to forms (when using the form_for helper) that is then checked when the submit request is sent. It helps prevent CSRF attacks.

What is likely happening is that you’re generating your own form and not including the token (which you can do by inserting a hidden field and using the authenticity_token helper).

You can learn more about CSRF and Rails’ protection at:

http://en.wikipedia.org/wiki/Cross-site_request_forgery

http://guides.rubyonrails.org/security.html#cross-site-request-forgery-csrf

Cheers,

Andy

Yeah, Andy is right. Why don’t you send us the code that generates these error requests? I have seen this error in some Ajax components like autocomplete. They create a form but do not send the token.

I post this into my blog: http://blogdomario.wordpress.com/2009/05/29/autocomplete-versus-rails-2-x/

It could also be caused by users with cookies disabled in the browser,
incorrect protect_from_forgery settings, or caching of authenticity
tokens.

Thanks for your hints...

Well, the code is actually the following:

<%= check_box_tag 'applicationfile_verified',
      nil,
      applicationfile.verified,
      { :onclick => "#{remote_function(:url => {
                                          :controller =>
'applicationfiles',
                                          :action => 'verify',
                                          :id => applicationfile.id })}"
} %>

...which results in the following source...

<input class="confirm_testmail_checkbox" id="applicationfile_verified"
name="applicationfile_verified"
onclick="jQuery.ajax({data:'authenticity_token=' +
encodeURIComponent('xV3AqZMywkzf5OWtszT9M54znztmNRg/CO90v0tNnjs='),
dataType:'script', type:'post', url:'/user/applicationfiles/1/verify'})"
type="checkbox">

And since the source includes...

    " data:'authenticity_token=' + encodeURIComponent('xV3Ayw...9Nnjs=')
"

...it would mean the Authenticity Token is there and OK, right?

Seems fine to me!

Have you cached your view by any chance? That would mean that the
authenticity_token in the view is stored in a cached file and not really
dynamic?

Cheers,
Aditya

Tom Ha wrote:

Does it always do it or only sometimes?

Only sometimes...

Maybe due to bots...?

We’ve had it happen on random occasions while using the RESTful authentication plugin after upgrading Rails. I remember reading a ticket issue somewhere about it and iirc it has to do with something funky in reset_session. But since we had the need for Rack-based authentication as well as some other features, we switched to Devise and have had no error reports ever since.

Best regards

Peter De Berdt

I can confirm that I use the RESTful authentication plugin, too.

Thanks for your input!