Wes Gamble
2008-Mar-19 17:17 UTC
Upgrade to 2.0.2: InvalidAuthenticityToken error on 1st POST
All, I''ve upgraded to 2.0.2, and I can''t get my login screen (the first POST request in the application) to work. When I post this form, I see the "InvalidAuthenticityToken" error. I have protect_from_forgery :secret => ''my_secret'' set in application.rb and I am using an active_record session store based on this line in environment.rb: config.action_controller.session_store = :active_record_store My login_form is generated using form_for(). However, I am using text_field_tag and password_field_tag to generate the form fields inside of this form, so the form is not truly bound to an object like most Rails forms. I can see that my login form is posting the hidden authenticity_token. And I can also see that the value of the "autheticity_token" parameter is definitely not the same secret as "my_secret" specified in the call to protect_from_forgery. So the error makes sense in that respect. I was under the impression that the protect_from_forgery call would embed the secret provided into the forms generated by Rails? Is that the correct understanding? Is there something else that I need to be doing in order to make the protect_from_forgery feature work? Thanks, Wes -- Posted via http://www.ruby-forum.com/. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---
James Byrne
2008-Mar-19 17:23 UTC
Re: Upgrade to 2.0.2: InvalidAuthenticityToken error on 1st
Wes Gamble wrote:> All, > > I''ve upgraded to 2.0.2, and I can''t get my login screen (the first POST > request in the application) to work. > > When I post this form, I see the "InvalidAuthenticityToken" error. > > I have > > protect_from_forgery :secret => ''my_secret'' > > set in application.rb > > and I am using an active_record session store based on this line in > environment.rb:> > Is there something else that I need to be doing in order to make the > protect_from_forgery feature work? > > Thanks, > Wescheck controllers/application.rb class ApplicationController < ActionController::Base helper :all # include all helpers, all the time # See ActionController::RequestForgeryProtection for details # Uncomment the :secret if you''re not using the cookie session store protect_from_forgery # :secret => ''3218a694a55a785a0cbedf86a388f8bf'' end Note the remarks about not using the cookie session store. -- Posted via http://www.ruby-forum.com/. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---
Wes Gamble
2008-Mar-19 20:29 UTC
Re: Upgrade to 2.0.2: InvalidAuthenticityToken error on 1st
James, I had the secret uncommented and saw the behavior that I described. Wes -- Posted via http://www.ruby-forum.com/. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---
Rick Olson
2008-Mar-19 23:48 UTC
Re: Upgrade to 2.0.2: InvalidAuthenticityToken error on 1st
On Wed, Mar 19, 2008 at 10:23 AM, James Byrne <rails-mailing-list-ARtvInVfO7ksV2N9l4h3zg@public.gmane.org> wrote:> > Wes Gamble wrote: > > All, > > > > I''ve upgraded to 2.0.2, and I can''t get my login screen (the first POST > > request in the application) to work. > > > > When I post this form, I see the "InvalidAuthenticityToken" error. > > > > I have > > > > protect_from_forgery :secret => ''my_secret'' > > > > set in application.rb > > > > and I am using an active_record session store based on this line in > > environment.rb: > > > > > Is there something else that I need to be doing in order to make the > > protect_from_forgery feature work? > > > > Thanks, > > WesYou need to be sending the token with each form post. The form_tag block method should add it for you. Also, your sessions need to be working. You''ll know it''s good if neither your session id or form auth token change on each refresh. You can check this looking at the development log and the source of the form (the auth token should be in a hidden field). http://rails.rubyonrails.org/classes/ActionController/RequestForgeryProtection.html#M000296 -- Rick Olson http://lighthouseapp.com http://weblog.techno-weenie.net http://mephistoblog.com --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---
Wes Gamble
2008-Mar-20 00:00 UTC
Re: Upgrade to 2.0.2: InvalidAuthenticityToken error on 1st
Rick, Thanks. As it turns out, my sessions weren''t working for this other reason (http://www.ruby-forum.com/topic/146066) that has me digging around in the ActiveRecord transactions code (http://www.ruby-forum.com/topic/146569). Once I get my sessions working, I will give it another shot. Wes -- Posted via http://www.ruby-forum.com/. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---
mikhailov
2008-Apr-19 08:49 UTC
Re: Upgrade to 2.0.2: InvalidAuthenticityToken error on 1st
could you try to include prototype in your layout? It''s work for me :) On 20 мар, 07:00, Wes Gamble <rails-mailing-l...-ARtvInVfO7ksV2N9l4h3zg@public.gmane.org> wrote:> Rick, > > Thanks. As it turns out, my sessions weren''t working for this other > reason (http://www.ruby-forum.com/topic/146066) that has me digging > around in the ActiveRecord transactions code > (http://www.ruby-forum.com/topic/146569). > > Once I get my sessions working, I will give it another shot. > > Wes > > -- > Posted viahttp://www.ruby-forum.com/.--~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk-unsubscribe@googlegroups.com For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---
On 20 mar, 01:48, "Rick Olson" <technowee...-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> wrote:> On Wed, Mar 19, 2008 at 10:23 AM, James Byrne > > > > <rails-mailing-l...-ARtvInVfO7ksV2N9l4h3zg@public.gmane.org> wrote: > > > Wes Gamble wrote: > > > All, > > > > I''ve upgraded to 2.0.2, and I can''t get my login screen (the first POST > > > request in the application) to work. > > > > When I post this form, I see the "InvalidAuthenticityToken" error. > > > > I have > > > > protect_from_forgery :secret => ''my_secret'' > > > > set in application.rb > > > > and I am using an active_record session store based on this line in > > > environment.rb: > > > > Is there something else that I need to be doing in order to make the > > > protect_from_forgery feature work? > > > > Thanks, > > > Wes > > You need to be sending the token with each form post. The form_tag > block method should add it for you. Also, your sessions need to be > working. You''ll know it''s good if neither your session id or form > auth token change on each refresh. You can check this looking at the > development log and the source of the form (the auth token should be > in a hidden field). > > http://rails.rubyonrails.org/classes/ActionController/RequestForgeryP... > > -- > Rick Olsonhttp://lighthouseapp.comhttp://weblog.techno-weenie.nethttp://mephistoblog.comI''m using restful_authentication plugin and I found that if you delete the cookies before submitting in the login form and then you log in, you get the exception: "ActionController::InvalidAuthenticityToken in SessionsController#create". Any idea to fix this? Thanks! --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---
Rob Schultz
2008-Apr-19 19:23 UTC
Re: Upgrade to 2.0.2: InvalidAuthenticityToken error on 1st
> > > I''m using restful_authentication plugin and I found that if you delete > the cookies before submitting in the login form and then you log in, > you get the exception: "ActionController::InvalidAuthenticityToken in > SessionsController#create". > > Any idea to fix this? > > Thanks!1. Don''t clear your cookies when you are on the login screen. OR 2. Don''t use the default cookie session store. Rails by default uses cookies to store the sessions so when you essentially clear your cookies while you are the login screen it clears all the information about the session and then thinks its a forgery attempt. -- Posted via http://www.ruby-forum.com/. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---
Seemingly Similar Threads
- InvalidAuthenticityToken problems with my login form
- [HELP]No :secret given to the #protect_from_forgery call
- Rails 2.3.8 - InvalidAuthenticityToken problem. URGENT!
- InvalidAuthenticityToken exception when deleting cookies
- Is Rails 2.1 "protect_from_forgery" == csrf_killer plugin?