CODEWITHSUNDEEP
ruby-on-rails
Marc Vitalis
Marc Vitalis

Reputation: 2249

ActionController::InvalidAuthenticityToken in SessionsController#create error

I get this error in Rails 2.3.9 but not in 2.3.8. I didn't changed any code. Did I missed anything?

ActionController::InvalidAuthenticityToken in SessionsController#create ActionController::InvalidAuthenticityToken

Thanks :)

Here are the added details.

Request

Parameters:

{"commit"=>"Login",
 "authenticity_token"=>"A9A4+sCsA/81FFoXJEUNziQYhgQ38pceGN2i7MUQbQY=",
 "password"=>"r3dp0rt"}

Here's the code in the application controller

class ApplicationController < ActionController::Base
  helper :all # include all helpers, all the time
  protect_from_forgery :secret => "r3dp0rtP@$$", :digest => "MD5" # See ActionController::RequestForgeryProtection for details

Here's the code from my session create controller

  def create
    session[:password] = params[:password]
    flash[:notice] = "Sucessfully logged in"
    redirect_to "/login"
  end

and lastly here's the code from my simple login view

<div id="placeholder">
  <% form_tag :action => "create" do %>
    <p>
    <%= label_tag "This will enable administrative features for the site." %><br>
    <%= password_field_tag "password" %>
    </p>
    <br>
    <p>
    <%= submit_tag "Login" %>
    </p>
  <% end %>
</div>

Upvotes: 1

Views: 4383

Answers (3)

Jeff Steil
Jeff Steil

Reputation: 1770

I don't have enough points to leave as a comment to the accepted answer so I will add this as an answer. The patch does work but just be careful to name it sessions_patch.rb so it will be ordered alphabetically AFTER session_store.rb. As I found out the hard way (by mistakenly naming the patch session_patch.rb, the order of the initializers matters and the patch won't work if it is loaded before your key and secret are set in session_store.rb. Hopefully this saves someone some time.

Upvotes: 2

C&#233;dric Darn&#233;
C&#233;dric Darn&#233;

Reputation: 176

There's a bug in the 2.3.9. It prevents to set the session ID when using an activerecord or memcache session store. See this rails ticket. You can fix it by using the Mislav's patch at http://gist.github.com/570149. You'll have to create and paste the code in config/initializers/sessions_patch.rb. Or you can run the following command in your project root path:

wget http://gist.github.com/570149.txt -O config/initializers/sessions_patch.rb

Finally don't forget to restart your server (and a maybe issue a rake db:sessions:clear).

Upvotes: 3

Sebastian
Sebastian

Reputation: 2942

Have you tried clearing the browsing data of your browser? Most likely it's still sending the old AuthenticityToken.

Upvotes: 0

Related Questions