-
Notifications
You must be signed in to change notification settings - Fork 5.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
ActionController::InvalidAuthenticityToken in Devise::SessionsController#create #5652
Comments
I'm stuck on this too, but only in production |
Encoutering the exact same on my local server, with ActiveAdmin. |
I am using redis store |
We fixed it on our end by removing the following from config.action_dispatch.cookies_same_site_protection = :none
config.action_controller.default_protect_from_forgery = false if ENV['RAILS_ENV'] == 'development' |
I had the same problem when upgrading from rails 7.0 to 7.1 |
Same issue after upgrading to Rails 7.1.2 It works on development, but not on staging/production FORM (SIGN UP) Form Registration controller
config/enviroment/staging.rb
Gemfile.lock I noticed in dev console that the session_id is named ["session_id |
Same for me, can I ask you how did you fix? |
Upgrade to ruby 3.2, then be sure to have config/enviroment/production.rb
app/controller/application_controller.rb
If you use Passenger, then add this to Gemfile. I was inspecting the Chrome Dev console and the cookie name cointaned a unrecognized character like ["session_id instead of session_id. gem 'rack', '~> 2.2' |
I found that changing the session and so on didn't work, and then upgrading to rails 7.1.2 solved it |
I was running into the same issue with Rails 7.1.2 and Devise 4.9.3, what fixed it in my case (based on this comment: #5298 (comment)) was the puma upgrade to 6.4.2 from 5.6.4. |
Same problem with rails 6.1 |
In my case I fixed it in Rails.application.config.session_store :cookie_store, key: "_my_name_#{Rails.env}", expire_after: 1.year, domain: :all Also I'm using nginx in development, so, for my proxy I've ensured that the host header is correct to handle same origin verification problem (if you have a frontend on a separate localhost:port) and combining them together on the same host by using nginx: location / {
proxy_set_header HOST $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_pass_request_headers on;
proxy_pass http://rails_backend;
proxy_buffers 8 1024k;
proxy_buffer_size 1024k;
} Note: Might be useful for someone like myself who struggled with the issue for a few hours |
Faced similar issue, here is the story. Maybe it could help someone. When removing # kept only meaningful elements of the configuration
Rails.application.config.session_store :redis_store,
key: "_session_identifier", expire_after: 14.days, domain: :all, tld_length: 2, secure: true To Rails.application.config.session_store :redis_store,
key: "_session_identifier", expire_after: 14.days, secure: true The issue was visible immediately after deployment, no need to way for stale cookies... Context Before the change the server would set a As the user was identified by the Why ? When submitting the form the browser would send the two
The server will use the oldest How did I fix it ?
# Users would still be logged in thanks to the `remember_user_token`
Rails.application.config.session_store :redis_store,
key: "_new_session_identifier", expire_after: 14.days, secure: true
class ApplicationController < ActionController::Base
before_action do
if request_format == :html
cookies.delete(: _session_identifier, domain: :all)
cookies.delete(:remember_user_token, domain: :all)
current_user.remember_me! if current_user
end
end
end |
is this safe? |
For me, it works: Rails.application.config.session_store :redis_store,
servers: [Rails.configuration.app.redis_url],
expire_after: 15.minutes,
key: "_my_key",
threadsafe: true The problem was with the Stored key:
Stored value:
|
You literally have configured now: |
Ruby 3.2.2
Rails 7.0.8
Devise 4.9.2
Current behavior
Extremely frustrating. All of a sudden I try to login/register I get Can't verify CSRF token authenticity..
I didn't do any changes and it was all working fine 1h ago.
Stack trace:
....
def handle_unverified_request
raise ActionController::InvalidAuthenticityToken, warning_message
end
end
end
...
PS: Yes I have the CSRF and CSP tags:
<%= csrf_meta_tags %>
<%= csp_meta_tag %>
The text was updated successfully, but these errors were encountered: