-
Notifications
You must be signed in to change notification settings - Fork 5.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
getting "Can't verify CSRF token authenticity" even if csrf toke in present #2734
Comments
Can you please provide a sample application that reproduces the error? |
here it is: (keep in mind that there are lots of gem which are not required but mentioned in Gemfile . This rep, I just keep updating to latest gems) |
Your sample application is using an old version of devise. If you update it and are still seeing the error, we can take a look. |
My bad. really sorry. I've updated the app with latest version of devise gem. Also added the devise secret key. |
I'm having this exact same problem in my app, but only in production, not in development/test env. I narrowed it down to this line: # config/initializers/session_store.rb
Store::Application.config.session_store :cookie_store, key: '_some_key', domain: :all, tld_length: 2 With this line, sessions aren't destroyed anymore either. @rtcoms I wasn't able to reproduce this problem in your sample app, neither in development nor in production ( |
@everyone problem in my app is fixed. It was not related to devise . I removed 'rails-api' gem and it started working. @kurko I removed some gems from my Gemfile .Try to have minimum no of gems in Gemfile and add extra gems one by one to find out which gem is causing error. From my side this issue can be closed. |
I have the same exact issue as kurko. Did you ever find a solution to your problem? |
Nope. I just disabled the feature for now, but I'll need it back soon. If you find the solution, please post it here. |
Ok so I fixed my issue by changing the domain: to my domain name that I'm currently using. Turns out my dev domain didn't work with my production domain. I don't know if that'll help you but good luck! |
This isn't Devise related, as I'm running into the same problem after upgrading to Rails 4 without using the Devise gem at all. Commenting out the ':domain => :all, :tld_length => 2' section 'fixes' it, but we need that. Will try and figure out what the actual issue is and create an issue against Rails for it. |
I actually found a better solution is to specify your :domain to your On Wed, Feb 26, 2014 at 7:22 PM, Chris Burkhart notifications@github.comwrote:
|
I have the same problem. I tried removing I can reproduce the bug easily with my browser in Incognito Mode but only in production. After digging a bit I did not find any solution so I just discarded the protection from sign_in form |
I had the same problem after switching to rails 4. I store my session data in the database aka: In my case the the session_id was not saved aka session_id=NULL It was fixed by placing this in an initializer: |
I fixed this issue a few times by pulling down a fresh copy of my repo from On Thu, Apr 3, 2014 at 4:21 PM, Joshua Kidd notifications@github.comwrote:
|
I am seeing the same thing... Can't verify CSRF token authenticity in my application using Devise 3.2.4. It seems to happen randomly, but is fairly repeatable shortly after restarting Apache... my app is deployed using Passenger on Apache. Has anyone found a definitive bug? |
I didn't identified the bug and I'm still waiting for an answer. In the Alessandro Rodi On Fri, May 2, 2014 at 1:47 AM, Don notifications@github.com wrote:
|
I am having the same issue as well. As @coorasse said, I disabled forgery_protection for now. Please share if anyone has found a fix. Thanks. |
Please reopen the issue or we'll have to create a duplicate |
Folks, can someone please provide a way to reproduce the issue? It can even be in a new issue, as long as we link to this one. But we need a way to reproduce this, without a way to reproduce it, there is nothing we can do about getting it fixed. |
Hi Jose, Did I report that? ~eike Am 25.06.2014 um 16:08 schrieb José Valim notifications@github.com:
|
Just my 2c - my problem was that in session_store.rb I had
and was not using SSL in production (still in development phase). So cookies were not sent => token was missing. Stupid mistake. |
We had the same issue. In session_store.rb we had these settings:
We need it because we use subdomains on our staging and production environments and some of services like Xing do not allows us to setup oAuth callback for many subdomains (no * allowed). Our client reported that he can't log in into admin panel. Client has access to both environments. The logs errors:
After some research we figured out that the problem was only present in Chrome. Looking into Resources in Chrome console, I noticed we have the same cookies (one from stage environment and other for production), but of course with different values. It happens because I first logged in to production and then opened new tab and try to log in to staging. With these two cookies, the errors occurs. So in session_store.rb we change name for cookie into dynamic name:
This works, the cookies are not mixed up any more. |
Yes, we had the same problem as @rience in our app. |
Had the same issue until adding an initializer that skips before action @josevalim shouldn't this issue be opened again, or is it not related to devise? |
Disabling If you have CSRF enabled and you see an authenticity token in the request, check that you actually have a session token in your cookies. Devise has exhaustive tests of this functionality - it is unlikely to be a devise issue. |
@latortuga: its not skipped for all requests in the app, but for our There always is an authenticity token in the request, but for some strange reasons I can not explain it can not be verified and the session is empty. Looks like the user was logged in, but the session is not written because of the not verified token. After this first failing login attempt, the next login just works... I dunno, its always the first attempt that is failing - always directly after a logout. |
If the session is empty, obviously the token will not be verified - this is how CSRF protection in Rails works! Check if you're using If you're not validating CSRF protection for login/logout, a malicious attacker could cause you to logout or login as someone else without your knowledge. |
This solved my problem I overrode the devise sessions controller by creating a new file in controller/users/ with the name of sessions_controller.rb |
I've tried every solution on here to no avail. I am running Rails 4.2 and the latest version of Devise on Heroku. My issue only seems to occur in Firefox and the environment doesn't matter. It happens both in development, test, and production. I can get around it in testing by stubbing the user login, but I can't seem to get around it in the other environments. I can't figure out what caused the issue in the first place. I had no problems logging in through Firefox as recently as a week ago. I haven't pushed any new code up to the production app recently. |
I was able to solve this problem after quite a lot of troubleshooting. I am using cloudflare with heroku. The fix was to switch Cloudflare's SSL from Flexible to Full. Then everything worked. That simple. |
Another potential cause worth mentioning: sessions not saving. I had a problem in which my form was generating a csrf token, and it was being sent and received by the server correctly, but it was never matching the token in the session because a new one was being regenerated every request due to a session issue. |
I have the same problem but I am not using the device. To reproduce
The Same issue is happening for Ajax post request in another tab3 (opened another page before logout from tab1). Do we have any solution to fix this issue? |
I have this problem (with Rails 5 and nginx) but
The solution is to use |
@pdbradley thanks bro, your suggestion works perfect! |
configuration. Clearance/Devise authentication over HTTPS would fail without it due to CSRF errors. This issue explains it best: heartcombo/devise#2734
Yep, proxy_set_header X-Forwarded-Proto $scheme; worked for me as well. I was just about to throw a TV out a 2nd story window, and now I can watch it instead....thanks! |
Thank you guys! I've been struggling for days with authenticity token failure in chrome (in firefox it worked properly). After adding "proxy_set_header X-Forwarded-Proto $scheme;" to nginx config the problem is solved. I might messed up the config file when setting up ssl. Big thanks!! |
Following on from Cloudflare SSL comments above (@rdetert). If you are not using Heroku, so you aren't able to access an automatic SSL addon, you need to add an actual certificate on your nginx server manually. Here's how I set it up on Digital Ocean: Generate a TLS cert from cloudflare (free, just below the SSL flexible/full/strict area). On the server (as root):
Set Cloudflare SSL settings to Full(strict) to force Cloudflare to use your server certs Finally, configure |
Rails 5.1, aws elastic beanstalk with cloudfront. Had the same error and tried everything here to no avail. Fixed it by changing cloudfront behavior settings. Set "Forward Cookies" to "all" from the default "none (Improves Caching)" in Distribution Settings > Behavior > (select behavior) > Edit. |
I recently caught the same problem. Looks fine, but turns out it is a bad idea to access Devise controllers are still controllers, and are inherited from ApplicationController. So I tried to access The fix was to put |
Faced this issue recently. |
I had this problem, for me it was nothing to do with Devise. It was Rails5 + Heroku + CloudFlare as explained here: http://til.obiefernandez.com/posts/875a2a69af-cloudflare-flexible-ssl-mode-breaks-rails-5-csrf.
|
I was experiencing this problem too. It turned out that the class ApplicationController < ActionController::Base
...
auto_session_timeout Rails.configuration.session_timeout_length
#has to be after auto_session_timeout so that prepend will not be overwritten.
protect_from_forgery with: :exception, prepend: true |
For me the problem was solved when wrote this in my application_controller.rb class ApplicationController < ActionController::Base Another order of strings above was the reason of exception. Hope it'll help somebody. |
I ran across this problem after I switched back and forth between the development and production environment on the same machine with browser Firefox. The 2 data sets are quite different. It took me 2 days to find out that it was caused by the Firefox cache. After the cache was cleared, Rails (4.2.11.1 & Ruby 2.2.5) functions properly. The lesson learned: never mix up the development and production environment on the same machine. |
I also came across this problem. After verifying that it worked fine on all other machines I tried I got suspicious. Turns out Server 2016's Internet Explorer needs to have the Rails site added to "Trusted Sites" then it magically starts working. I have not investigated further. |
i came across the problem and had nothing to do with Devise. My solution was different than the ones here. I have two modal forms. It seemed like the 1st one was working and the 2nd one wasn't. I checked the authenticity tokens on them and they are different per form. I grabbed the authenticity token from the metatag and made that the value of the authenticity token hidden field for the 2nd form. Tried it and it fixed it. Here's the coffescript: editNoteModal = ->
$('[href="#edit-note"]').click ->
# code
modal = $ '#edit-note'
# code
# code
# code
token = $('meta[name="csrf-token"]').attr('content')
authTokenField = modal.find '[name=authenticity_token]'
authTokenField.val token
$(window).on 'turbolinks:load', editNoteModal |
This error was the browser's cache for me. I was working on two different projects, and both were on Before my solution I tried with a private window, on wich all worked, so I came to the idea of the browser's cache, that finally was the solution. |
The simplest solution for the problem is do standard things in your controller or you can directly put it into ApplicationController
|
I had gone from "CSRF was previously working on localhost and production" to throwing the If you are using subdomains (including ngrok which uses Eg: Rails.application.config.session_store :cookie_store, key: "_example_session", domain: :all, tld_length: 3 For more info see: https://github.com/heartcombo/devise/wiki/How-To:-Use-subdomains |
In my case I get the "Can't verify CSRF token authenticity" log message after Devise form submission when I use this code (also mentioned here) in
I have to submit Devise forms two times to get e.g. the user signed in or get error messages on front end. It also seems this happens randomly! If I remove the above-mentioned code, Devise seems to work as expected. Using Rails 7.0.4.2 and Devise 4.9.0 P.S.: Maybe this is being solved by #5567 |
I ran into this and it was due to me having embedded one |
I tryed the recent rails 7.0.4.3 branch from @carlosantoniodasilva (#5567) and the issue related to the "Can't verify CSRF token authenticity" while using |
@lapser if you can create a reproducible app, feel free to open another issue and we can take a look. This seems very unlikely to be something Devise specific, but a combination of factors. |
The above works to avoid getting the "Can't verify CSRF token authenticity" message using rails 7.0.4.3 and devise 4.9.0 with Hotwire Turbo (without
|
I'm doing simple authentication (without ajax or api) and getting error for csrf authenticity token. I'm using latest version of rails and devise
check the post request below
The text was updated successfully, but these errors were encountered: