Hi there, I have my first Rails app running and I regularly get the following "logged_exception" error message: "ActionController::InvalidAuthenticityToken" Has anybody an idea what might cause this problem? Could it somehow be a "time out" error (like an "AuthenticityToken" which might expire after a certain time, or something along those lines)? Any idea how that error could be prevented from occurring? The "backtrace" always starts like this: ================/usr/lib/ruby/gems/1.8/gems/actionpack-2.3.3/lib/action_controller/request_forgery_protection.rb:79:in `verify_authenticity_token'' /usr/lib/ruby/gems/1.8/gems/activesupport-2.3.3/lib/active_support/callbacks.rb:178:in `send'' /usr/lib/ruby/gems/1.8/gems/activesupport-2.3.3/lib/active_support/callbacks.rb:178:in `evaluate_method'' /usr/lib/ruby/gems/1.8/gems/activesupport-2.3.3/lib/active_support/callbacks.rb:166:in `call'' ... ================ Thanks for any help with this! Tom -- Posted via http://www.ruby-forum.com/. -- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk+unsubscribe-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en.
Andy Jeffries
2010-Feb-22 16:26 UTC
Re: Error: "ActionController::InvalidAuthenticityToken"
The Authenticity Token is a value that is inserted in to forms (when using the form_for helper) that is then checked when the submit request is sent. It helps prevent CSRF attacks. What is likely happening is that you''re generating your own form and not including the token (which you can do by inserting a hidden field and using the authenticity_token helper). You can learn more about CSRF and Rails'' protection at: http://en.wikipedia.org/wiki/Cross-site_request_forgery http://guides.rubyonrails.org/security.html#cross-site-request-forgery-csrf Cheers, Andy -- Andy Jeffries http://andyjeffries.co.uk/ #rubyonrails #mysql #jquery Registered address: 64 Sish Lane, Stevenage, Herts, SG1 3LS Company number: 5452840 On 22 February 2010 17:01, Tom Ha <lists-fsXkhYbjdPsEEoCn2XhGlw@public.gmane.org> wrote:> Hi there, > > I have my first Rails app running and I regularly get the following > "logged_exception" error message: > > "ActionController::InvalidAuthenticityToken" > > Has anybody an idea what might cause this problem? Could it somehow be a > "time out" error (like an "AuthenticityToken" which might expire after a > certain time, or something along those lines)? > > Any idea how that error could be prevented from occurring? > > The "backtrace" always starts like this: > > ================> > /usr/lib/ruby/gems/1.8/gems/actionpack-2.3.3/lib/action_controller/request_forgery_protection.rb:79:in > `verify_authenticity_token'' > > > /usr/lib/ruby/gems/1.8/gems/activesupport-2.3.3/lib/active_support/callbacks.rb:178:in > `send'' > > > /usr/lib/ruby/gems/1.8/gems/activesupport-2.3.3/lib/active_support/callbacks.rb:178:in > `evaluate_method'' > > > /usr/lib/ruby/gems/1.8/gems/activesupport-2.3.3/lib/active_support/callbacks.rb:166:in > `call'' > ... > ================> > Thanks for any help with this! > Tom > -- > Posted via http://www.ruby-forum.com/. > > -- > You received this message because you are subscribed to the Google Groups > "Ruby on Rails: Talk" group. > To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org > To unsubscribe from this group, send email to > rubyonrails-talk+unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org<rubyonrails-talk%2Bunsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org> > . > For more options, visit this group at > http://groups.google.com/group/rubyonrails-talk?hl=en. > >-- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk+unsubscribe-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en.
Mario Sergio Coelho Marroquim
2010-Feb-22 20:25 UTC
Re: Error: "ActionController::InvalidAuthenticityToken"
Yeah, Andy is right. Why don''t you send us the code that generates these error requests? I have seen this error in some Ajax components like autocomplete. They create a form but do not send the token. I post this into my blog: http://blogdomario.wordpress.com/2009/05/29/autocomplete-versus-rails-2-x/ 2010/2/22 Andy Jeffries <andyjeffries-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>> The Authenticity Token is a value that is inserted in to forms (when using > the form_for helper) that is then checked when the submit request is sent. > It helps prevent CSRF attacks. > > What is likely happening is that you''re generating your own form and not > including the token (which you can do by inserting a hidden field and using > the authenticity_token helper). > > You can learn more about CSRF and Rails'' protection at: > > http://en.wikipedia.org/wiki/Cross-site_request_forgery > http://guides.rubyonrails.org/security.html#cross-site-request-forgery-csrf > > Cheers, > > > Andy > > -- > Andy Jeffries > http://andyjeffries.co.uk/ #rubyonrails #mysql #jquery > Registered address: 64 Sish Lane, Stevenage, Herts, SG1 3LS > Company number: 5452840 > > > On 22 February 2010 17:01, Tom Ha <lists-fsXkhYbjdPsEEoCn2XhGlw@public.gmane.org> wrote: > >> Hi there, >> >> I have my first Rails app running and I regularly get the following >> "logged_exception" error message: >> >> "ActionController::InvalidAuthenticityToken" >> >> Has anybody an idea what might cause this problem? Could it somehow be a >> "time out" error (like an "AuthenticityToken" which might expire after a >> certain time, or something along those lines)? >> >> Any idea how that error could be prevented from occurring? >> >> The "backtrace" always starts like this: >> >> ================>> >> /usr/lib/ruby/gems/1.8/gems/actionpack-2.3.3/lib/action_controller/request_forgery_protection.rb:79:in >> `verify_authenticity_token'' >> >> >> /usr/lib/ruby/gems/1.8/gems/activesupport-2.3.3/lib/active_support/callbacks.rb:178:in >> `send'' >> >> >> /usr/lib/ruby/gems/1.8/gems/activesupport-2.3.3/lib/active_support/callbacks.rb:178:in >> `evaluate_method'' >> >> >> /usr/lib/ruby/gems/1.8/gems/activesupport-2.3.3/lib/active_support/callbacks.rb:166:in >> `call'' >> ... >> ================>> >> Thanks for any help with this! >> Tom >> -- >> Posted via http://www.ruby-forum.com/. >> >> -- >> You received this message because you are subscribed to the Google Groups >> "Ruby on Rails: Talk" group. >> To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org >> To unsubscribe from this group, send email to >> rubyonrails-talk+unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org<rubyonrails-talk%2Bunsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org> >> . >> For more options, visit this group at >> http://groups.google.com/group/rubyonrails-talk?hl=en. >> >> > -- > You received this message because you are subscribed to the Google Groups > "Ruby on Rails: Talk" group. > To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org > To unsubscribe from this group, send email to > rubyonrails-talk+unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org<rubyonrails-talk%2Bunsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org> > . > For more options, visit this group at > http://groups.google.com/group/rubyonrails-talk?hl=en. >-- Mário Sérgio Coelho Marroquim http://blogdomario.wordpress.com http://www.muraldeideias.com.br http://www.credishop.com.br -- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en.
It could also be caused by users with cookies disabled in the browser, incorrect protect_from_forgery settings, or caching of authenticity tokens. -- Posted via http://www.ruby-forum.com/. -- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk+unsubscribe-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en.
Thanks for your hints... Well, the code is actually the following: <%= check_box_tag ''applicationfile_verified'', nil, applicationfile.verified, { :onclick => "#{remote_function(:url => { :controller => ''applicationfiles'', :action => ''verify'', :id => applicationfile.id })}" } %> ...which results in the following source... <input class="confirm_testmail_checkbox" id="applicationfile_verified" name="applicationfile_verified" onclick="jQuery.ajax({data:''authenticity_token='' + encodeURIComponent(''xV3AqZMywkzf5OWtszT9M54znztmNRg/CO90v0tNnjs=''), dataType:''script'', type:''post'', url:''/user/applicationfiles/1/verify''})" type="checkbox"> And since the source includes... " data:''authenticity_token='' + encodeURIComponent(''xV3Ayw...9Nnjs='') " ...it would mean the Authenticity Token is there and OK, right? -- Posted via http://www.ruby-forum.com/. -- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk+unsubscribe-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en.
Mario Sergio Coelho Marroquim
2010-Feb-23 21:35 UTC
Re: Re: Error: "ActionController::InvalidAuthenticityToken"
Seems fine to me! 2010/2/23 Tom Ha <lists-fsXkhYbjdPsEEoCn2XhGlw@public.gmane.org>> Thanks for your hints... > > Well, the code is actually the following: > > <%= check_box_tag ''applicationfile_verified'', > nil, > applicationfile.verified, > { :onclick => "#{remote_function(:url => { > :controller => > ''applicationfiles'', > :action => ''verify'', > :id => applicationfile.id })}" > } %> > > ...which results in the following source... > > <input class="confirm_testmail_checkbox" id="applicationfile_verified" > name="applicationfile_verified" > onclick="jQuery.ajax({data:''authenticity_token='' + > encodeURIComponent(''xV3AqZMywkzf5OWtszT9M54znztmNRg/CO90v0tNnjs=''), > dataType:''script'', type:''post'', url:''/user/applicationfiles/1/verify''})" > type="checkbox"> > > And since the source includes... > > " data:''authenticity_token='' + encodeURIComponent(''xV3Ayw...9Nnjs='') > " > > ...it would mean the Authenticity Token is there and OK, right? > -- > Posted via http://www.ruby-forum.com/. > > -- > You received this message because you are subscribed to the Google Groups > "Ruby on Rails: Talk" group. > To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org > To unsubscribe from this group, send email to > rubyonrails-talk+unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org<rubyonrails-talk%2Bunsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org> > . > For more options, visit this group at > http://groups.google.com/group/rubyonrails-talk?hl=en. > >-- Mário Sérgio Coelho Marroquim http://blogdomario.wordpress.com http://www.muraldeideias.com.br http://www.credishop.com.br -- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en.
Aditya Sanghi
2010-May-14 13:45 UTC
Re: Error: "ActionController::InvalidAuthenticityToken"
Have you cached your view by any chance? That would mean that the authenticity_token in the view is stored in a cached file and not really dynamic? Cheers, Aditya Tom Ha wrote:> Hi there, > > I have my first Rails app running and I regularly get the following > "logged_exception" error message: > > "ActionController::InvalidAuthenticityToken" > > Has anybody an idea what might cause this problem? Could it somehow be a > "time out" error (like an "AuthenticityToken" which might expire after a > certain time, or something along those lines)? > > Any idea how that error could be prevented from occurring? > > The "backtrace" always starts like this: > > ================> /usr/lib/ruby/gems/1.8/gems/actionpack-2.3.3/lib/action_controller/request_forgery_protection.rb:79:in > `verify_authenticity_token'' > > /usr/lib/ruby/gems/1.8/gems/activesupport-2.3.3/lib/active_support/callbacks.rb:178:in > `send'' > > /usr/lib/ruby/gems/1.8/gems/activesupport-2.3.3/lib/active_support/callbacks.rb:178:in > `evaluate_method'' > > /usr/lib/ruby/gems/1.8/gems/activesupport-2.3.3/lib/active_support/callbacks.rb:166:in > `call'' > ... > ================> > Thanks for any help with this! > Tom-- Posted via http://www.ruby-forum.com/. -- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk+unsubscribe-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en.
Does it always do it or only sometimes? -- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk+unsubscribe-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en.
Only sometimes... Maybe due to bots...? -- Posted via http://www.ruby-forum.com/. -- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk+unsubscribe-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en.
Peter De Berdt
2010-May-14 17:24 UTC
Re: Re: Error: "ActionController::InvalidAuthenticityToken"
On 14 May 2010, at 18:09, Tom Ha wrote:> Only sometimes... > > Maybe due to bots...?We''ve had it happen on random occasions while using the RESTful authentication plugin after upgrading Rails. I remember reading a ticket issue somewhere about it and iirc it has to do with something funky in reset_session. But since we had the need for Rack-based authentication as well as some other features, we switched to Devise and have had no error reports ever since. Best regards Peter De Berdt -- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk+unsubscribe-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en.
I can confirm that I use the RESTful authentication plugin, too. Thanks for your input! -- Posted via http://www.ruby-forum.com/. -- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk+unsubscribe-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en.
Possibly Parallel Threads
- InvalidAuthenticityToken error with remote_form_for
- authenticity_token sent, still InvalidAuthenticityToken
- rspec-rails how to selectively turn on csrf protection for controller specs?
- InvalidAuthenticityToken exception when deleting cookies
- InvalidAuthenticityToken