#5633 rails 2.3.8 and InvalidAuthenticityToken - Ruby on Rails

Type	To find
responsible:me	tickets assigned to you
tagged:"@high"	tickets tagged @high
milestone:next	tickets in the upcoming milestone
state:invalid	tickets with the state invalid
created:"last week"	tickets created last week
sort:number, importance, updated	tickets sorted by #, importance or updated
Combine keywords for powerful searching.
Use advanced searching »

This project is archived and is in readonly mode.

#5633 ✓resolved

rails 2.3.8 and InvalidAuthenticityToken

Reported by Alex | September 15th, 2010 @ 12:17 PM | in 2.3.10

On the old project migrate to rails 2.3.8.
All good, but we have sometime such error from forms:

ActionController::InvalidAuthenticityToken: ActionController::InvalidAuthenticityToken

Backtrace:

[GEM_ROOT]/gems/actionpack-2.3.8/lib/action_controller/request_forgery_protection.rb:79:in verify_authenticity_token'



[GEM_ROOT]/gems/activesupport-2.3.8/lib/active_support/callbacks.rb:178:in send'



[GEM_ROOT]/gems/activesupport-2.3.8/lib/active_support/callbacks.rb:178:in evaluate_method'



[GEM_ROOT]/gems/activesupport-2.3.8/lib/active_support/callbacks.rb:166:in call'



[GEM_ROOT]/gems/actionpack-2.3.8/lib/action_controller/filters.rb:225:in call'



[GEM_ROOT]/gems/actionpack-2.3.8/lib/action_controller/filters.rb:629:in run_before_filters'



[GEM_ROOT]/gems/actionpack-2.3.8/lib/action_controller/filters.rb:615:in call_filters'



[GEM_ROOT]/gems/actionpack-2.3.8/lib/action_controller/filters.rb:610:in perform_action_without_benchmark'



[GEM_ROOT]/gems/actionpack-2.3.8/lib/action_controller/benchmarking.rb:68:in perform_action_without_rescue'



[GEM_ROOT]/gems/activesupport-2.3.8/lib/active_support/core_ext/benchmark.rb:17:in ms'



/opt/ruby-ee-1.8.7-2010.01/lib/ruby/1.8/benchmark.rb:308:in realtime'



[GEM_ROOT]/gems/activesupport-2.3.8/lib/active_support/core_ext/benchmark.rb:17:in ms'



[GEM_ROOT]/gems/actionpack-2.3.8/lib/action_controller/benchmarking.rb:68:in perform_action_without_rescue'



[GEM_ROOT]/gems/actionpack-2.3.8/lib/action_controller/rescue.rb:160:in perform_action_without_flash'



[GEM_ROOT]/gems/actionpack-2.3.8/lib/action_controller/flash.rb:151:in perform_action_without_newrelic_trace'



[GEM_ROOT]/gems/newrelic_rpm-2.13.1/lib/new_relic/control/../agent/instrumentation/controller_instrumentation.rb:254:in perform_action'



[GEM_ROOT]/gems/newrelic_rpm-2.13.1/lib/new_relic/agent/method_tracer.rb:141:in trace_execution_scoped'



[GEM_ROOT]/gems/newrelic_rpm-2.13.1/lib/new_relic/control/../agent/instrumentation/controller_instrumentation.rb:247:in perform_action'



[GEM_ROOT]/gems/actionpack-2.3.8/lib/action_controller/base.rb:532:in send'



[GEM_ROOT]/gems/actionpack-2.3.8/lib/action_controller/base.rb:532:in process_without_filters'



[GEM_ROOT]/gems/actionpack-2.3.8/lib/action_controller/filters.rb:606:in process'



[GEM_ROOT]/gems/actionpack-2.3.8/lib/action_controller/base.rb:391:in process'



[GEM_ROOT]/gems/actionpack-2.3.8/lib/action_controller/base.rb:386:in call'



[GEM_ROOT]/gems/actionpack-2.3.8/lib/action_controller/routing/route_set.rb:438:in call'



[GEM_ROOT]/gems/actionpack-2.3.8/lib/action_controller/dispatcher.rb:87:in dispatch'



[GEM_ROOT]/gems/actionpack-2.3.8/lib/action_controller/dispatcher.rb:121:in _call'



[GEM_ROOT]/gems/actionpack-2.3.8/lib/action_controller/dispatcher.rb:130



[GEM_ROOT]/gems/activerecord-2.3.8/lib/active_record/query_cache.rb:29:in call'



[GEM_ROOT]/gems/activerecord-2.3.8/lib/active_record/query_cache.rb:29:in call'



[GEM_ROOT]/gems/activerecord-2.3.8/lib/active_record/connection_adapters/abstract/query_cache.rb:34:in cache'



[GEM_ROOT]/gems/activerecord-2.3.8/lib/active_record/query_cache.rb:9:in cache'



[GEM_ROOT]/gems/activerecord-2.3.8/lib/active_record/query_cache.rb:28:in call'



[GEM_ROOT]/gems/activerecord-2.3.8/lib/active_record/connection_adapters/abstract/connection_pool.rb:361:in call'



app/middleware/domain_middleware.rb:70:in call'



[GEM_ROOT]/gems/actionpack-2.3.8/lib/action_controller/string_coercion.rb:25:in call'



[GEM_ROOT]/gems/rack-1.1.0/lib/rack/head.rb:9:in call'



[GEM_ROOT]/gems/rack-1.1.0/lib/rack/methodoverride.rb:24:in call'



[GEM_ROOT]/gems/actionpack-2.3.8/lib/action_controller/params_parser.rb:15:in call'



app/middleware/no_failsafe_api_middleware.rb:7:in call'



[GEM_ROOT]/gems/actionpack-2.3.8/lib/action_controller/session/abstract_store.rb:128:in call'



[GEM_ROOT]/gems/actionpack-2.3.8/lib/action_controller/failsafe.rb:26:in call'



[GEM_ROOT]/gems/actionpack-2.3.8/lib/action_controller/dispatcher.rb:106:in call'



/opt/ruby-ee/lib/ruby/gems/1.8/gems/passenger-2.2.10/lib/phusion_passenger/rack/request_handler.rb:92:in process_request'



/opt/ruby-ee/lib/ruby/gems/1.8/gems/passenger-2.2.10/lib/phusion_passenger/abstract_request_handler.rb:207:in main_loop'



/opt/ruby-ee/lib/ruby/gems/1.8/gems/passenger-2.2.10/lib/phusion_passenger/railz/application_spawner.rb:418:in start_request_handler'



/opt/ruby-ee/lib/ruby/gems/1.8/gems/passenger-2.2.10/lib/phusion_passenger/railz/application_spawner.rb:358:in handle_spawn_application'



/opt/ruby-ee/lib/ruby/gems/1.8/gems/passenger-2.2.10/lib/phusion_passenger/utils.rb:184:in safe_fork'



/opt/ruby-ee/lib/ruby/gems/1.8/gems/passenger-2.2.10/lib/phusion_passenger/railz/application_spawner.rb:354:in handle_spawn_application'



/opt/ruby-ee/lib/ruby/gems/1.8/gems/passenger-2.2.10/lib/phusion_passenger/abstract_server.rb:352:in __send__'



/opt/ruby-ee/lib/ruby/gems/1.8/gems/passenger-2.2.10/lib/phusion_passenger/abstract_server.rb:352:in main_loop'



/opt/ruby-ee/lib/ruby/gems/1.8/gems/passenger-2.2.10/lib/phusion_passenger/abstract_server.rb:196:in start_synchronously'



/opt/ruby-ee/lib/ruby/gems/1.8/gems/passenger-2.2.10/lib/phusion_passenger/abstract_server.rb:163:in start'



/opt/ruby-ee/lib/ruby/gems/1.8/gems/passenger-2.2.10/lib/phusion_passenger/railz/application_spawner.rb:213:in start'



/opt/ruby-ee/lib/ruby/gems/1.8/gems/passenger-2.2.10/lib/phusion_passenger/spawn_manager.rb:262:in spawn_rails_application'



/opt/ruby-ee/lib/ruby/gems/1.8/gems/passenger-2.2.10/lib/phusion_passenger/abstract_server_collection.rb:126:in lookup_or_add'



/opt/ruby-ee/lib/ruby/gems/1.8/gems/passenger-2.2.10/lib/phusion_passenger/spawn_manager.rb:256:in spawn_rails_application'



/opt/ruby-ee/lib/ruby/gems/1.8/gems/passenger-2.2.10/lib/phusion_passenger/abstract_server_collection.rb:80:in synchronize'



/opt/ruby-ee/lib/ruby/gems/1.8/gems/passenger-2.2.10/lib/phusion_passenger/abstract_server_collection.rb:79:in synchronize'



/opt/ruby-ee/lib/ruby/gems/1.8/gems/passenger-2.2.10/lib/phusion_passenger/spawn_manager.rb:255:in spawn_rails_application'



/opt/ruby-ee/lib/ruby/gems/1.8/gems/passenger-2.2.10/lib/phusion_passenger/spawn_manager.rb:154:in spawn_application'



/opt/ruby-ee/lib/ruby/gems/1.8/gems/passenger-2.2.10/lib/phusion_passenger/spawn_manager.rb:287:in handle_spawn_application'



/opt/ruby-ee/lib/ruby/gems/1.8/gems/passenger-2.2.10/lib/phusion_passenger/abstract_server.rb:352:in __send__'



/opt/ruby-ee/lib/ruby/gems/1.8/gems/passenger-2.2.10/lib/phusion_passenger/abstract_server.rb:352:in main_loop'



/opt/ruby-ee/lib/ruby/gems/1.8/gems/passenger-2.2.10/lib/phusion_passenger/abstract_server.rb:196:in start_synchronously'



/opt/ruby-ee/lib/ruby/gems/1.8/gems/passenger-2.2.10/bin/passenger-spawn-server:61

Parameters

{"action"=>"create",
 "authenticity_token"=>"KInlnQh1Mlyi8ALaWznQ068Vv0Y9lnmxjff3pSm48fs=",
 "controller"=>"some_controller", ...}

Session Data

{"csrf_token"=>"mwuQ5IeWsDZ9/J17GzufWFD4U9O7ry/BRfsLO4aJ1T4=", ... }

We dont wait so long (less 1 minute), but csrf_token != authenticity_token. How can I fix this? Maybe I need update Passenger to 2.2.15?

Problem solve by downgrading to 2.3.5 from 2.3.8, but I dont want do this.

Comments and changes to this ticket

Rohit Arondekar September 17th, 2010 @ 12:03 PM
- Importance changed from “” to “Low”
You need to add
```
  <%= csrf_meta_tag %>
```
In your view (or layout).

Do you have one?
You flagged this item as spam.
Alex September 17th, 2010 @ 12:46 PM
For rails 2.3.8 no such helper. I try and have such error:
undefined local variable or method csrf_meta_tag' for #<ActionView::Base:0x10a8c2840>

I need create it?
Rohit Arondekar September 17th, 2010 @ 03:40 PM
- Milestone set to “2.3.10”
- State changed from “new” to “open”
I apologize! That helper is for Rails 3.0. Can you try and reproduce the issue on a fresh app?
You flagged this item as spam.
Alexander Zubkov September 24th, 2010 @ 04:07 PM
In my case it's a bit different and easy to reproduce. It works on 2.3.8 and does not on 2.3.9.

On rails 2.3.9 I do:

rails test_app
cd test_app
./script/generate scaffold post name:string content:text rake db:sessions:create
rake db:migrate

And I uncomment the line:
ActionController::Base.session_store = :active_record_store
in config/initializers/session_store.rb.

./script/server

Now I try to create a new post, and get the same Invalid Token error.
When I try this on a project with many gems (formtastic, devise, cancan, etc.), it does not work on 2.3.5, 2.3.8 and 2.3.9. But when I comment the session_store line, it works on all versions.

The bug is caused by the fact, that session cookie is NOT being sent to the browser.
You flagged this item as spam.
Alex September 24th, 2010 @ 04:41 PM
I am using redis-store for sessions:
http://github.com/jodosha/redis-store
You flagged this item as spam.
Alexander Zubkov September 24th, 2010 @ 05:05 PM
BWT the workaround is to comment "protect_from_forgery" in application_controller.rb.
Ryan Bigg October 9th, 2010 @ 10:10 PM
- Tag cleared.
Automatic cleanup of spam.
Ryan Bigg October 19th, 2010 @ 08:23 AM
Automatic cleanup of spam.
You flagged this item as spam.
Surendra Singhi October 25th, 2010 @ 12:24 PM
I think it is fixed in rails 2.3.10. Can you please check and confirm, and close the ticket if so.
You flagged this item as spam.
Alexander Zubkov October 25th, 2010 @ 12:55 PM
Yes, I confirm, on 2.3.10 my small test_app and another project with many gems works. Thank you very much!
Waiting for Alex to close the ticket.
You flagged this item as spam.
Alex October 25th, 2010 @ 03:20 PM
Yes, I confirm, on 2.3.10 fixed.
Jeff Kreeftmeijer October 25th, 2010 @ 04:19 PM
- State changed from “open” to “resolved”
Great. Marking this one as resolved. :)

Create your profile

Help contribute to this project by taking a few moments to create your personal profile. Create your profile »

<h2 style="font-size: 14px">Tickets have moved to Github</h2>

The new ticket tracker is available at <a href="https://github.com/rails/rails/issues">https://github.com/rails/rails/issues</a>

Shared Ticket Bins (Sort)

↓↑ drag 455 Open Bugs
↓↑ drag 0 Recent Open Tickets
↓↑ drag 87 Open Patches
↓↑ drag 0 Open Doc Patches
↓↑ drag 542 Stale Tickets
↓↑ drag 3 Verified Patches
↓↑ drag 87 Stale Patches
↓↑ drag 0 Yesterday's Tickets
↓↑ drag 0 Two Days Ago
↓↑ drag 0 This Week
↓↑ drag 0 Last Week
↓↑ drag 7 Bugmash
↓↑ drag 0 Bugmash review queue
↓↑ drag 5 Rails 3 High Priority Tickets

Rails Ruby on Rails → 2.3.10

rails 2.3.8 and InvalidAuthenticityToken

Comments and changes to this ticket

Rohit Arondekar September 17th, 2010 @ 12:03 PM

Alex September 17th, 2010 @ 12:46 PM

Rohit Arondekar September 17th, 2010 @ 03:40 PM

Alexander Zubkov September 24th, 2010 @ 04:07 PM

Alex September 24th, 2010 @ 04:41 PM

Alexander Zubkov September 24th, 2010 @ 05:05 PM

Ryan Bigg October 9th, 2010 @ 10:10 PM

Ryan Bigg October 19th, 2010 @ 08:23 AM

Surendra Singhi October 25th, 2010 @ 12:24 PM

Alexander Zubkov October 25th, 2010 @ 12:55 PM

Alex October 25th, 2010 @ 03:20 PM

Jeff Kreeftmeijer October 25th, 2010 @ 04:19 PM

Create your profile

Shared Ticket Bins (Sort)

People watching this ticket

Pages

Rails Ruby on Rails → 2.3.10

Keyword searching

rails 2.3.8 and InvalidAuthenticityToken

Comments and changes to this ticket

Create your profile

Shared Ticket Bins (Sort)

People watching this ticket

Pages