Rails - Jun 2010 - Replytotopic Random Issue with Invalid AuthenticityToken

Greetings

I would appreciate any thoughts or ideas on the following issue:

I have a RoR application with all forms created dynamically.
Unfortunately some times when you hit the back button of the browser and
try to login via the Login form an error message will come with “Invalid
Authenticity Token”.

Can anyone suggest what is wrong or had any similar experience before ?

Thank you!
-- 
Posted via http://www.ruby-forum.com/.

-- 
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Talk" group.
To post to this group, send email to
rubyonrails-talk-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org
To unsubscribe from this group, send email to
rubyonrails-talk+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/rubyonrails-talk?hl=en.

John Marountas wrote:
> Greetings
> 
> I would appreciate any thoughts or ideas on the following issue:
> 
> I have a RoR application with all forms created dynamically.
> Unfortunately some times when you hit the back button of the browser and
> try to login via the Login form an error message will come with “Invalid
> Authenticity Token”.
> 
> Can anyone suggest what is wrong or had any similar experience before ?
> 
> Thank you!
Sample output from form_tag:

<form action="/home/index" method="post"> <div 
style="margin:0;padding:0"> <input
name="authenticity_token"
type="hidden"
value="f755bb0ed134b76c432144748a6d4b7a7ddf2b71" /> </div>
Form contents </form>

If you carefully observe this output, you can see that the helper 
generated something you didn’t specify: a div element with a hidden 
input inside. This is a security feature of Rails called cross-site 
request forgery protection and form helpers generate it for every form 
whose action is not “get” (provided that this security feature is 
enabled). You can read more about this in the Ruby On Rails Security 
Guide.
-- 
Posted via http://www.ruby-forum.com/.

-- 
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Talk" group.
To post to this group, send email to
rubyonrails-talk-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org
To unsubscribe from this group, send email to
rubyonrails-talk+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/rubyonrails-talk?hl=en.

Bohdan Pohoriletz wrote:
> John Marountas wrote:
>> Greetings
>> 
>> I would appreciate any thoughts or ideas on the following issue:
>> 
>> I have a RoR application with all forms created dynamically.
>> Unfortunately some times when you hit the back button of the browser
and
>> try to login via the Login form an error message will come with
“Invalid
>> Authenticity Token”.
>> 
>> Can anyone suggest what is wrong or had any similar experience before ?
>> 
>> Thank you!
> 
> Sample output from form_tag:
> 
> <form action="/home/index" method="post"> <div
> style="margin:0;padding:0"> <input
name="authenticity_token"
> type="hidden"
value="f755bb0ed134b76c432144748a6d4b7a7ddf2b71" /> </div>
> Form contents </form>
> 
> If you carefully observe this output, you can see that the helper 
> generated something you didn’t specify: a div element with a hidden 
> input inside. This is a security feature of Rails called cross-site 
> request forgery protection and form helpers generate it for every form 
> whose action is not “get” (provided that this security feature is 
> enabled). You can read more about this in the Ruby On Rails Security 
> Guide.
Thank you for your feedback  Bohdan.
I have checked my code and it produces the hidden div correctly. The 
problem is that some times it works perfectly but then some others 
(rarely) it produces the Invalid Token Authenticity.

The problem is that I cannot reproduce the  error so I cannot figure out 
what the problem is.
-- 
Posted via http://www.ruby-forum.com/.

-- 
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Talk" group.
To post to this group, send email to
rubyonrails-talk-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org
To unsubscribe from this group, send email to
rubyonrails-talk+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/rubyonrails-talk?hl=en.

John Marountas wrote:
> Bohdan Pohoriletz wrote:
>> John Marountas wrote:
>>> Greetings
>>> 
>>> I would appreciate any thoughts or ideas on the following issue:
>>> 
>>> I have a RoR application with all forms created dynamically.
>>> Unfortunately some times when you hit the back button of the
browser and
>>> try to login via the Login form an error message will come with
“Invalid
>>> Authenticity Token”.
>>> 
>>> Can anyone suggest what is wrong or had any similar experience
before ?
>>> 
>>> Thank you!
>> 
>> Sample output from form_tag:
>> 
>> <form action="/home/index" method="post">
<div
>> style="margin:0;padding:0"> <input
name="authenticity_token"
>> type="hidden"
value="f755bb0ed134b76c432144748a6d4b7a7ddf2b71" /> </div>
>> Form contents </form>
>> 
>> If you carefully observe this output, you can see that the helper 
>> generated something you didn’t specify: a div element with a hidden 
>> input inside. This is a security feature of Rails called cross-site 
>> request forgery protection and form helpers generate it for every form 
>> whose action is not “get” (provided that this security feature is 
>> enabled). You can read more about this in the Ruby On Rails Security 
>> Guide.
> 
> Thank you for your feedback  Bohdan.
> I have checked my code and it produces the hidden div correctly. The 
> problem is that some times it works perfectly but then some others 
> (rarely) it produces the Invalid Token Authenticity.
> 
> The problem is that I cannot reproduce the  error so I cannot figure out 
> what the problem is.



Greetings

The problem arises when:
1. I logout from the app and go to login form
2. then visit another page (clicking on a link)
3. hit the Back button to return to the login form
4. try to login

I get also this message too :

---
The change you wanted was rejected.
Maybe you tried to change something you didn''t have access to.
---

Here is the code for the authenticity token:
<input name="authenticity_token" type="hidden" 
value="Sv9m/wvBukwY8C2HF0xMnapJLcIw08HL/UyBDD8+o60=" />

Hope that helps
-- 
Posted via http://www.ruby-forum.com/.

-- 
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Talk" group.
To post to this group, send email to
rubyonrails-talk-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org
To unsubscribe from this group, send email to
rubyonrails-talk+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/rubyonrails-talk?hl=en.

On Jul 4, 3:19 pm, John Marountas
<li...-fsXkhYbjdPsEEoCn2XhGlw@public.gmane.org>
wrote:
> >> Sample output from form_tag:
>
> >> <form action="/home/index"
method="post"> <div
> >> style="margin:0;padding:0"> <input
name="authenticity_token"
> >> type="hidden"
value="f755bb0ed134b76c432144748a6d4b7a7ddf2b71" /> </div>
> >> Form contents </form>

The authenticity token is based upon some data stored in the session:
if when you logout you reset the session (which very sensibly most
people do) and  you reset the session after the form is rendered then
the form contains a no longer valid authenticity token. When you press
the back button this page is fetched from the cache and so you submit
a form with that stale token


Fred

>
> >> If you carefully observe this output, you can see that the helper
> >> generated something you didn’t specify: a div element with a
hidden
> >> input inside. This is a security feature of Rails called
cross-site
> >> request forgery protection and form helpers generate it for every
form
> >> whose action is not “get” (provided that this security feature is
> >> enabled). You can read more about this in the Ruby On Rails
Security
> >> Guide.
>
> > Thank you for your feedback  Bohdan.
> > I have checked my code and it produces the hidden div correctly. The
> > problem is that some times it works perfectly but then some others
> > (rarely) it produces the Invalid Token Authenticity.
>
> > The problem is that I cannot reproduce the  error so I cannot figure
out
> > what the problem is.
>
> Greetings
>
> The problem arises when:
> 1. I logout from the app and go to login form
> 2. then visit another page (clicking on a link)
> 3. hit the Back button to return to the login form
> 4. try to login
>
> I get also this message too :
>
> ---
> The change you wanted was rejected.
> Maybe you tried to change something you didn''t have access to.
> ---
>
> Here is the code for the authenticity token:
> <input name="authenticity_token" type="hidden"
> value="Sv9m/wvBukwY8C2HF0xMnapJLcIw08HL/UyBDD8+o60=" />
>
> Hope that helps
> --
> Posted viahttp://www.ruby-forum.com/.
-- 
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Talk" group.
To post to this group, send email to
rubyonrails-talk-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org
To unsubscribe from this group, send email to
rubyonrails-talk+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/rubyonrails-talk?hl=en.