Upgrade to 2.0.2: InvalidAuthenticityToken error on 1st POST

All,

I've upgraded to 2.0.2, and I can't get my login screen (the first POST
request in the application) to work.

When I post this form, I see the "InvalidAuthenticityToken" error.

I have

  protect_from_forgery :secret => 'my_secret'

set in application.rb

and I am using an active_record session store based on this line in
environment.rb:

  config.action_controller.session_store = :active_record_store

My login_form is generated using form_for(). However, I am using
text_field_tag and password_field_tag to generate the form fields inside
of this form, so the form is not truly bound to an object like most
Rails forms.

I can see that my login form is posting the hidden authenticity_token.
And I can also see that the value of the "autheticity_token" parameter
is definitely not the same secret as "my_secret" specified in the call
to protect_from_forgery. So the error makes sense in that respect.

I was under the impression that the protect_from_forgery call would
embed the secret provided into the forms generated by Rails? Is that
the correct understanding?

Is there something else that I need to be doing in order to make the
protect_from_forgery feature work?

Thanks,
Wes

Wes Gamble wrote:

All,

I've upgraded to 2.0.2, and I can't get my login screen (the first POST
request in the application) to work.

When I post this form, I see the "InvalidAuthenticityToken" error.

I have

  protect_from_forgery :secret => 'my_secret'

set in application.rb

and I am using an active_record session store based on this line in
environment.rb:

Is there something else that I need to be doing in order to make the
protect_from_forgery feature work?

Thanks,
Wes

check controllers/application.rb

class ApplicationController < ActionController::Base
  helper :all # include all helpers, all the time

  # See ActionController::RequestForgeryProtection for details
  # Uncomment the :secret if you're not using the cookie session store
  protect_from_forgery # :secret => '3218a694a55a785a0cbedf86a388f8bf'
end

Note the remarks about not using the cookie session store.

James,

I had the secret uncommented and saw the behavior that I described.

Wes

You need to be sending the token with each form post. The form_tag
block method should add it for you. Also, your sessions need to be
working. You'll know it's good if neither your session id or form
auth token change on each refresh. You can check this looking at the
development log and the source of the form (the auth token should be
in a hidden field).

http://rails.rubyonrails.org/classes/ActionController/RequestForgeryProtection.html#M000296

Rick,

Thanks. As it turns out, my sessions weren't working for this other
reason (http://www.ruby-forum.com/topic/146066) that has me digging
around in the ActiveRecord transactions code
(http://www.ruby-forum.com/topic/146569).

Once I get my sessions working, I will give it another shot.

Wes

could you try to include prototype in your layout? It's work for me :slight_smile:

I'm using restful_authentication plugin and I found that if you delete
the cookies before submitting in the login form and then you log in,
you get the exception: "ActionController::InvalidAuthenticityToken in
SessionsController#create".

Any idea to fix this?

Thanks!

I'm using restful_authentication plugin and I found that if you delete
the cookies before submitting in the login form and then you log in,
you get the exception: "ActionController::InvalidAuthenticityToken in
SessionsController#create".

Any idea to fix this?

Thanks!

1. Don't clear your cookies when you are on the login screen.
OR
2. Don't use the default cookie session store. Rails by default uses
cookies to store the sessions so when you essentially clear your cookies
while you are the login screen it clears all the information about the
session and then thinks its a forgery attempt.