Greetings
I would appreciate any thoughts or ideas on the following issue:
I have a RoR application with all forms created dynamically. Unfortunately some times when you hit the back button of the browser and try to login via the Login form an error message will come with “Invalid Authenticity Token”.
Can anyone suggest what is wrong or had any similar experience before ?
Thank you!
John Marountas wrote:
Greetings
I would appreciate any thoughts or ideas on the following issue:
I have a RoR application with all forms created dynamically. Unfortunately some times when you hit the back button of the browser and try to login via the Login form an error message will come with “Invalid Authenticity Token”.
Can anyone suggest what is wrong or had any similar experience before ?
Thank you!
Sample output from form_tag:
<form action="/home/index" method="post"> <div style="margin:0;padding:0"> <input name="authenticity_token" type="hidden" value="f755bb0ed134b76c432144748a6d4b7a7ddf2b71" /> </div> Form contents </form>
If you carefully observe this output, you can see that the helper generated something you didn’t specify: a div element with a hidden input inside. This is a security feature of Rails called cross-site request forgery protection and form helpers generate it for every form whose action is not “get” (provided that this security feature is enabled). You can read more about this in the Ruby On Rails Security Guide.
Bohdan Pohoriletz wrote:
John Marountas wrote:
Greetings
I would appreciate any thoughts or ideas on the following issue:
I have a RoR application with all forms created dynamically. Unfortunately some times when you hit the back button of the browser and try to login via the Login form an error message will come with “Invalid Authenticity Token”.
Can anyone suggest what is wrong or had any similar experience before ?
Thank you!
Sample output from form_tag:
<form action="/home/index" method="post"> <div style="margin:0;padding:0"> <input name="authenticity_token" type="hidden" value="f755bb0ed134b76c432144748a6d4b7a7ddf2b71" /> </div> Form contents </form>
If you carefully observe this output, you can see that the helper generated something you didn’t specify: a div element with a hidden input inside. This is a security feature of Rails called cross-site request forgery protection and form helpers generate it for every form whose action is not “get” (provided that this security feature is enabled). You can read more about this in the Ruby On Rails Security Guide.
Thank you for your feedback Bohdan. I have checked my code and it produces the hidden div correctly. The problem is that some times it works perfectly but then some others (rarely) it produces the Invalid Token Authenticity.
The problem is that I cannot reproduce the error so I cannot figure out what the problem is.
John Marountas wrote:
Bohdan Pohoriletz wrote:
John Marountas wrote:
Greetings
I would appreciate any thoughts or ideas on the following issue:
I have a RoR application with all forms created dynamically. Unfortunately some times when you hit the back button of the browser and try to login via the Login form an error message will come with “Invalid Authenticity Token”.
Can anyone suggest what is wrong or had any similar experience before ?
Thank you!
Sample output from form_tag:
<form action="/home/index" method="post"> <div style="margin:0;padding:0"> <input name="authenticity_token" type="hidden" value="f755bb0ed134b76c432144748a6d4b7a7ddf2b71" /> </div> Form contents </form>
If you carefully observe this output, you can see that the helper generated something you didn’t specify: a div element with a hidden input inside. This is a security feature of Rails called cross-site request forgery protection and form helpers generate it for every form whose action is not “get” (provided that this security feature is enabled). You can read more about this in the Ruby On Rails Security Guide.
Thank you for your feedback Bohdan. I have checked my code and it produces the hidden div correctly. The problem is that some times it works perfectly but then some others (rarely) it produces the Invalid Token Authenticity.
The problem is that I cannot reproduce the error so I cannot figure out what the problem is.
Greetings
The problem arises when: 1. I logout from the app and go to login form 2. then visit another page (clicking on a link) 3. hit the Back button to return to the login form 4. try to login
I get also this message too :
>> Sample output from form_tag:
>> <form action="/home/index" method="post"> <div >> style="margin:0;padding:0"> <input name="authenticity_token" >> type="hidden" value="f755bb0ed134b76c432144748a6d4b7a7ddf2b71" /> </div> >> Form contents </form>
The authenticity token is based upon some data stored in the session: if when you logout you reset the session (which very sensibly most people do) and you reset the session after the form is rendered then the form contains a no longer valid authenticity token. When you press the back button this page is fetched from the cache and so you submit a form with that stale token
Fred