Upgrade to 2.0.2: InvalidAuthenticityToken error on 1st POST

All,

I've upgraded to 2.0.2, and I can't get my login screen (the first POST request in the application) to work.

When I post this form, I see the "InvalidAuthenticityToken" error.

I have

  protect_from_forgery :secret => 'my_secret'

set in application.rb

and I am using an active_record session store based on this line in environment.rb:

  config.action_controller.session_store = :active_record_store

My login_form is generated using form_for(). However, I am using text_field_tag and password_field_tag to generate the form fields inside of this form, so the form is not truly bound to an object like most Rails forms.

I can see that my login form is posting the hidden authenticity_token. And I can also see that the value of the "autheticity_token" parameter is definitely not the same secret as "my_secret" specified in the call to protect_from_forgery. So the error makes sense in that respect.

I was under the impression that the protect_from_forgery call would embed the secret provided into the forms generated by Rails? Is that the correct understanding?

Is there something else that I need to be doing in order to make the protect_from_forgery feature work?

Thanks, Wes

Wes Gamble wrote:

All,

I've upgraded to 2.0.2, and I can't get my login screen (the first POST request in the application) to work.

When I post this form, I see the "InvalidAuthenticityToken" error.

I have

  protect_from_forgery :secret => 'my_secret'

set in application.rb

and I am using an active_record session store based on this line in environment.rb:

Is there something else that I need to be doing in order to make the protect_from_forgery feature work?

Thanks, Wes

check controllers/application.rb

class ApplicationController < ActionController::Base   helper :all # include all helpers, all the time

  # See ActionController::RequestForgeryProtection for details   # Uncomment the :secret if you're not using the cookie session store   protect_from_forgery # :secret => '3218a694a55a785a0cbedf86a388f8bf' end

Note the remarks about not using the cookie session store.

James,

I had the secret uncommented and saw the behavior that I described.

Wes

You need to be sending the token with each form post. The form_tag block method should add it for you. Also, your sessions need to be working. You'll know it's good if neither your session id or form auth token change on each refresh. You can check this looking at the development log and the source of the form (the auth token should be in a hidden field).

http://rails.rubyonrails.org/classes/ActionController/RequestForgeryProtection.html#M000296

Rick,

Thanks. As it turns out, my sessions weren't working for this other reason (Is anyone running Rails 2.x against a MS SQL Server DB? - Rails - Ruby-Forum) that has me digging around in the ActiveRecord transactions code (Object_transactions plugin w/2.x disables AR session store - Rails - Ruby-Forum).

Once I get my sessions working, I will give it another shot.

Wes

could you try to include prototype in your layout? It's work for me :slight_smile:

I'm using restful_authentication plugin and I found that if you delete the cookies before submitting in the login form and then you log in, you get the exception: "ActionController::InvalidAuthenticityToken in SessionsController#create".

Any idea to fix this?

Thanks!

I'm using restful_authentication plugin and I found that if you delete the cookies before submitting in the login form and then you log in, you get the exception: "ActionController::InvalidAuthenticityToken in SessionsController#create".

Any idea to fix this?

Thanks!

1. Don't clear your cookies when you are on the login screen. OR 2. Don't use the default cookie session store. Rails by default uses cookies to store the sessions so when you essentially clear your cookies while you are the login screen it clears all the information about the session and then thinks its a forgery attempt.