Replytotopic Random Issue with Invalid AuthenticityToken

Greetings

I would appreciate any thoughts or ideas on the following issue:

I have a RoR application with all forms created dynamically.
Unfortunately some times when you hit the back button of the browser and
try to login via the Login form an error message will come with “Invalid
Authenticity Token”.

Can anyone suggest what is wrong or had any similar experience before ?

Thank you!

John Marountas wrote:

Greetings

I would appreciate any thoughts or ideas on the following issue:

I have a RoR application with all forms created dynamically.
Unfortunately some times when you hit the back button of the browser and
try to login via the Login form an error message will come with “Invalid
Authenticity Token”.

Can anyone suggest what is wrong or had any similar experience before ?

Thank you!

Sample output from form_tag:

<form action="/home/index" method="post"> <div
style="margin:0;padding:0"> <input name="authenticity_token"
type="hidden" value="f755bb0ed134b76c432144748a6d4b7a7ddf2b71" /> </div>
Form contents </form>

If you carefully observe this output, you can see that the helper
generated something you didn’t specify: a div element with a hidden
input inside. This is a security feature of Rails called cross-site
request forgery protection and form helpers generate it for every form
whose action is not “get” (provided that this security feature is
enabled). You can read more about this in the Ruby On Rails Security
Guide.

Bohdan Pohoriletz wrote:

John Marountas wrote:

Greetings

I would appreciate any thoughts or ideas on the following issue:

I have a RoR application with all forms created dynamically.
Unfortunately some times when you hit the back button of the browser and
try to login via the Login form an error message will come with “Invalid
Authenticity Token”.

Can anyone suggest what is wrong or had any similar experience before ?

Thank you!

Sample output from form_tag:

<form action="/home/index" method="post"> <div
style="margin:0;padding:0"> <input name="authenticity_token"
type="hidden" value="f755bb0ed134b76c432144748a6d4b7a7ddf2b71" /> </div>
Form contents </form>

If you carefully observe this output, you can see that the helper
generated something you didn’t specify: a div element with a hidden
input inside. This is a security feature of Rails called cross-site
request forgery protection and form helpers generate it for every form
whose action is not “get” (provided that this security feature is
enabled). You can read more about this in the Ruby On Rails Security
Guide.

Thank you for your feedback Bohdan.
I have checked my code and it produces the hidden div correctly. The
problem is that some times it works perfectly but then some others
(rarely) it produces the Invalid Token Authenticity.

The problem is that I cannot reproduce the error so I cannot figure out
what the problem is.

John Marountas wrote:

Bohdan Pohoriletz wrote:

John Marountas wrote:

Greetings

I would appreciate any thoughts or ideas on the following issue:

I have a RoR application with all forms created dynamically.
Unfortunately some times when you hit the back button of the browser and
try to login via the Login form an error message will come with “Invalid
Authenticity Token”.

Can anyone suggest what is wrong or had any similar experience before ?

Thank you!

Sample output from form_tag:

<form action="/home/index" method="post"> <div
style="margin:0;padding:0"> <input name="authenticity_token"
type="hidden" value="f755bb0ed134b76c432144748a6d4b7a7ddf2b71" /> </div>
Form contents </form>

If you carefully observe this output, you can see that the helper
generated something you didn’t specify: a div element with a hidden
input inside. This is a security feature of Rails called cross-site
request forgery protection and form helpers generate it for every form
whose action is not “get” (provided that this security feature is
enabled). You can read more about this in the Ruby On Rails Security
Guide.

Thank you for your feedback Bohdan.
I have checked my code and it produces the hidden div correctly. The
problem is that some times it works perfectly but then some others
(rarely) it produces the Invalid Token Authenticity.

The problem is that I cannot reproduce the error so I cannot figure out
what the problem is.

Greetings

The problem arises when:
1. I logout from the app and go to login form
2. then visit another page (clicking on a link)
3. hit the Back button to return to the login form
4. try to login

I get also this message too :

>> Sample output from form_tag:

>> <form action="/home/index" method="post"> <div
>> style="margin:0;padding:0"> <input name="authenticity_token"
>> type="hidden" value="f755bb0ed134b76c432144748a6d4b7a7ddf2b71" /> </div>
>> Form contents </form>

The authenticity token is based upon some data stored in the session:
if when you logout you reset the session (which very sensibly most
people do) and you reset the session after the form is rendered then
the form contains a no longer valid authenticity token. When you press
the back button this page is fetched from the cache and so you submit
a form with that stale token

Fred