Heroku/Rails/Devise: The change you wanted was rejected

Question

I'm having a problem with my Rails 4.2 app running the latest version of Devise on Heroku. I'm going to preface this by stating that I have not pushed any code changes to production in quite some time and that this issue only started recently.

When I go to log in, I receive an error saying "The change you wanted was rejected." When I view the logs, I can see that it's a problem with the CSRF token.

2015-04-04T19:52:22.430533+00:00 app[web.1]: Started POST "/users/sign_in" for 76.119.72.58 at 2015-04-04 19:52:22 +0000
2015-04-04T19:52:22.435480+00:00 app[web.1]: Completed 422 Unprocessable Entity in 1ms
2015-04-04T19:52:22.434143+00:00 app[web.1]: Processing by Devise::SessionsController#create as HTML
2015-04-04T19:52:22.434211+00:00 app[web.1]:   Parameters: {"utf8"=>"✓", "authenticity_token"=>"94uXDeV2wbb1XMfUL445zrIrbhS92pwe+9tWxkyvwtJhnZtZS3ydYOeP2grZvT/t2YMa2A2k/pA+U5X3gFXlAw==", "user"=>{"email"=>"test@example.com", "password"=>"[FILTERED]", "remember_me"=>"0"}, "commit"=>"Log in"}
2015-04-04T19:52:22.435112+00:00 app[web.1]: Can't verify CSRF token authenticity
2015-04-04T19:52:22.438522+00:00 app[web.1]:

I've been scouring StackOverflow for answers and have tried everything I can think of. I've tried a few different things so far:

1. I added this line to my session_store.rb thinking that it might be an issue with the cookies being mixed between development and production environments. Rails.application.config.session_store :cookie_store, key: "_abhnation_session_#{Rails.env}"

2. I do NOT have the rails-api gem, which some discussions suggested might be the culprit.

I've also noticed that the problem is strictly with Firefox and is not environment-specific. It occurs in development, test, and production. I've only been able to get around it in test by stubbing sessions.

I can't figure out what caused this to happen. I have not pushed any changes to my public-facing production environment in a few months.

Here is the code link: http://github.com/danielbonnell/abhnation-rails Here is the live site: http://abhnation.herokuapp.com/

Answer 1

I came across your post while searching for the "The change you wanted was rejected" error message that I was getting off and on, but never seemed to get a real good understanding of what was causing it on our system. It turns out that this happened when a user had our application open in multiple tabs and the user session timed out. He would get a new login page in multiple tabs. Then when he logs in to the first tab and tries to do the same on the second, the second login would fail because of a CSRF token that is not matching with the currently active session. Applying the solution described here solves the issue for us gracefully:

rescue_from ActionController::InvalidAuthenticityToken do |_exception|
  flash[:alert] = 'Please try again.'
  redirect_back fallback_location: root_path
end

Answer 2

This turned out to be a problem with Cloudflare for me. I missed the following log line when reviewing the error:

HTTP Origin header (https://test-app.my.app) didn't match request.base_url (http://test-app.my.app)

I had the Flexible SSL mode enabled for my domain. This needs to be set to Full SSL to ensure that https:// is forced when Cloudflare communicates with your app.

Answer 3

You can also check your cookie domain - make sure it's set to the correct *.herokuapp.com domain.

Answer 4

Update the setting to allow for cookies in the iOS Safari browser.

I had the same message on my iOS iPhone Safari, however once I allowed cookies for IOS safari, it solved the problem.

Answer 5

Turns out the issue (at least for me) was being caused by the Blur / DoNotTrackPlus extension for Firefox. I had previously disabled it, but that had no effect. When I removed it, however, the problem went away.

Hope this helps someone in the future.