All geek questions in one place

Invalid Authentication

I have a rails application that I just deployed that generates Invalid AuthenticityToken errors wherever the form is submitted. The application uses subdomains as account names, and ultimately allows you to enter a custom domain. I have an entry in production.rb to allow cross-domain session processing.

The problem is that you cannot login or submit any form because everything causes an Invalid AuthenticityToken error. The problem looks similar, but not the same as Rails - invalid authentication token after deployment plus I don't use mongrel. I tried to clear the cookies in the browser and restart the passenger, but no luck.

Does anyone have any ideas?

The server is running nginx + passenger 2.3.11 and Rails 2.3.5.

#production.rb config.action_controller.session[:domain] = '.domain.com' #environment.rb config.action_controller.session = { :session_key => '_app_session', :secret => '.... nums and chars .....' }

Update: I just noticed that the session cookie is not set in my production environment. Thus, I assume that the session cannot be bound to the CSRF value. I am wondering if I need to set a cookie for my dynamic subdomains?

+4
source share
3 answers

Make sure your server is configured with the correct domain name. I saw this when the cookie for the authentication token was set for a different domain than the server actually is. Customers did not understand that they needed to send a cookie.

Another possibility is that your store production sessions are broken in some way. If Rails cannot find the user's session, it will not work with the InvalidAuthenticityToken.

+2
source

TRY IT

 <%= javascript_tag "window._token = '#{form_authenticity_token}'" %>

OR REF: - http://api.rubyonrails.org/classes/ActionController/RequestForgeryProtection/ClassMethods.html

0
source

Try adding the following to your ApplicationController :

 protect_from_forgery :only => [:create, :delete, :update]

Solution http://www.ruby-forum.com/topic/136093 . Keep in mind that this may not be the safest solution.

0
source

Source: https://habr.com/ru/post/1306243/

More articles:


All Articles