Redmine: 422 invalid form authenticity token

Question

I'm using this plugin to enable SSO between my IDP and redmine. Purpose is to avoid re entering username and password when login to the redmine. Both Redmine and the IDP connected to an external LDAP. Problem is after redirecting back to the redmine from my IDP (after entering username & password), It's giving this error.

Redmine version: 2.5.2, Ruby version: 1.9.3, Rails version: 3.2.19

Answer 1

It happened to us when using a reverse-proxy SSO. The configured name in the SSO was not with the same case than the user name within Redmine.

Extract from nginx configuration :

                       # Pass the user to that stupid Passenger Phusion
                       # that cannot evaluate variables like $http_x_forwarded_user
                       passenger_env_var REMOTE_USER nicolasm;

And our user name in Redmine was NicolasM.

Removing security as suggested by other answers is not a long lasting solution.

Answer 2

Some details for Redmine 3.4.2

If you get an error 422 (Can't verify CSRF token authenticity), you must go to controller file

/app/controller/aplication_controller.rb

and remove or comment string with code

render_error :status => 422, :message => "invalid form authenticity token."

then add code

redirect_back_or_default(home_path)

So, your code will be like this

# render_error :status => 422, :message => "invalid form authenticity token."
redirect_back_or_default(home_path) 

Answer 3

For us, this error appeared when an already logged-on user tried to re-logon (eg. using multiple browser tabs). The solution is here, patch application_controller.rb:

-    render_error "Invalid form authenticity token." 
+    redirect_back_or_default home_path