ActionController InvalidAuthenticityToken

Question

Below is an error  caused by a form in my Rails application   Processing UsersController update  for   ip   at 2010-07-29 10 52 27   PUT    Parameters    commit   gt  Update    action   gt  update     method   gt  put    authenticity token   gt  ysiDvO5s7qhJQrnlSR2 f8jF1gxdB7T9I2ydxpRlSSk      more parameters     ActionController  InvalidAuthenticityToken  ActionController  InvalidAuthenticityToken     This happens for every non-get request and  as you see  authenticity token is there

User · Answer

We had the same problem  but noticed that it was only for requests using http    and not with https     The cause was secure  true for session store   Rails application config session store     cookie store    key    foo session     domain    example com     secure  true     Fixed by using HTTPS  everywhere

User · Answer

There are several causes for this error   relating to Rails 4   1  Check  lt    csrf meta tags   gt  present in page layout 2  check authenticity token is being sent with AJAX calls if using form for helper with remote  true option If not you can include the line  lt    hidden field tag  authenticity token  form authenticity token   gt  withing the form block  3  If request is being sent from cached page  use fragment caching to exclude part of page that sends request e g  button to etc  otherwise token will be stale invalid   I would be reluctant to nullify csrf protection

User · Answer

For rails 5  it better to add  protect from forgery prepend  true than to skip the verify authentication token

User · Answer

Running rails dev cache in my console fixed this for me   Rails 6  I think it might be something to do with Turbolinks  but CSRF only seems to work when local caching is enabled

User · Answer

In rails 5  we need to add 2 lines of code      skip before action  verify authenticity token     protect from forgery prepend  true  with   exception

User · Answer

This happened to me when carrying out manual tests of the sign up process of my application  signing up in with multiple users   A very simple and pragmatic solution may be to do what I did  and use a different browser  or incognito if using chrome   This was a much better solution in my case than disabling security features

User · Answer

Following Chrome Lighthouse recommendations for a faster application load   I have asynced my Javascript    views layout application html erb   lt    javascript include tag  application    data-turbolinks-track    gt   reload   async  true   gt    This broke everything and got that Token error for my remote forms  Removing async  true fixed the problem

User · Answer

too late to answer but I found the solution   When you define you own html form then you miss authentication token string that should be sent to controller for security reasons  But when you use rails form helper to generate a form you get something like following   lt form accept-charset  UTF-8  action   login signin  method  post  gt     lt div style  display none  gt       lt input name  utf8  type  hidden  value   amp  x2713   gt       lt input name  authenticity token  type  hidden         value  x37DrAAwyIIb7s w2 AdoCR8cAJIpQhIetKRrPgG5VA   gt                       lt  div gt   lt  form gt    So the solution to the problem is either to add authenticity token field or use rails form helpers rather then removing   downgrading or upgrading rails

User · Answer

I had the same issue but with pages which were page cached  Pages got buffered with a stale authenticity token and all actions using the methods post put delete where recognized as forgery attempts  Error  422 Unprocessable Entity  was returned to the user   The solution for Rails 3  Add    skip before filter  verify authenticity token     or as  sagivo  pointed out in Rails 4 add     skip before action  verify authenticity token   On pages which do caching     As  toobulkeh commented this is not a vulnerability on  index   show actions  but beware using this on  put   post actions   For example    caches page  index   show    skip before filter  verify authenticity token   only   gt    index   show    Reference  http   api rubyonrails org classes ActionController RequestForgeryProtection ClassMethods html  Note added by barlop-  Rails 4 2 deprecated skip before filter in favour of skip before action https   guides rubyonrails org 4 2 release notes html  The   filter family of methods have been removed from the documentation  Their usage is discouraged in favor of the   action family of methods   For Rails 6  as  collimarco  pointed out  you can use skip forgery protection and that it is safe to use it for a REST API that doesn t use session data

User · Answer

Maybe you have your NGINX setup for HTTPS but your certificates are invalid  I ve had a similar problem in the past and redirecting from http to https solved the problem

User · Answer

I have checked the  lt    csrf meta tags    are present and clearing cookies in browser worked for me

User · Answer

ActionController  InvalidAuthenticityToken can also be caused by a misconfigured reverse proxy  This is the case if in the stack trace  you get a line looking like Request origin does not match request base url  When using a reverse proxy  such as nginx  as receiver for HTTPS request and transmitting the request unencrypted to the backend  such as the Rails app   the backend  more specifically  Rack  expects some headers with more information about the original client request in order to be able to apply various processing tasks and security measures  More details are available here  https   github com rails rails issues 22965  TL DR  the solution is to add some headers  upstream myapp     server              unix    path to puma sock     location       proxy pass        http   myapp    proxy set header  Host  host    proxy set header  X-Forwarded-For  proxy add x forwarded for    proxy set header  X-Forwarded-Proto  scheme    proxy set header  X-Forwarded-Ssl on    Optional   proxy set header  X-Forwarded-Port  server port    proxy set header  X-Forwarded-Host  host

User · Answer

I had this problem and the reason was because I copied and pasted a controller into my app  I needed to change ApplicationController to ApplicationController  Base

User · Answer

Add       require rails-ujs    in    app assets javascripts application js

User · Answer

This answer is much more specific to Ruby on Rails  but hopefully it will help someone    You need to include the CSRF token with every non-GET request  If you re used to using JQuery  Rails has a helper library called jquery-ujs that builds on top of it and adds some hidden functionality  One of the things it does is automatically includes the CSRF token in every ajax request  See here   If you switch away from it like I did you might find yourself with an error  You can just submit the token manually or use another library to help scrape the token from the DOM  See this post for more detail

User · Answer

Just adding the authenticity token in form fixed it for me    lt    hidden field tag  authenticity token  form authenticity token   gt

User · Answer

I had this issue with javascript calls  I fixed that with just requiring jquery ujs into application js file

User · Answer

If you have done a rake rails update or otherwise recently changed your config initializers session store rb  this may be a symptom of old cookies in the browser   Hopefully this is done in dev test  it was for me   and you can just clear all browser cookies related to the domain in question   If this is in production  and you changed key  consider changing it back to use the old cookies   lt - just speculation

User · Answer

For Development environment  I tried many of these attempts to fix this issue  in Rails 6  None of them helped  So if none of these suggestions worked for you  try below  The only solution I found was to add a txt file into your  tmp folder  In your app s root directory  either run  touch tmp caching-dev txt  Or manually create a file by that name in your  tmp folder  Since this fixed it for me  I assume the root of the issue is a caching conflict

User · Answer

For me the cause of this issue under Rails 4 was a missing    lt    csrf meta tags   gt    Line in my main application layout  I had accidently deleted it when I rewrote my layout   If this isn t in the main layout you will need it in any page that you want a CSRF token on

User · Answer

Installing    gem  remotipart     can help

User · Answer

This happened to me when upgrading from Rails 4 0 to 4 2  The 4 2 implementation of verified request  looks at request headers  X-CSRF-Token    whereas the header my 4 0 app had been getting was X-XSRF-TOKEN  A quick fix in my ApplicationController was to add the function    def verify authenticity token     request headers  X-CSRF-Token       request headers  X-XSRF-TOKEN       super   end

User · Answer

The authenticity token is a random value generated in your view to prove a request is submitted from a form on your site  not somewhere else   This protects against CSRF attacks   http   en wikipedia org wiki Cross-site request forgery  Check to see who that client IP is  it looks like they are using your site without loading your views   If you need to debug further  this question is a good place to start  Understanding the Rails Authenticity Token  Edited to explain   It means they are calling the action to process your form submit without ever rendering your form on your website  This could be malicious  say posting spam comments  or it could indicate a customer trying to use your web service API directly  You re the only one who can answer that by the nature of your product and analyzing your requests

User · Answer

I had the same issue on localhost  I have changed the domain for the app  but in URLs and hosts file there was still the old domain  Updated my browser bookmarks and hosts file to use new domain and now everything works fine

User · Answer

Problem solved by downgrading to 2 3 5 from 2 3 8   as well as infamous  You are being redirected   issue

[ruby-on-rails] ActionController::InvalidAuthenticityToken

Examples related to ruby-on-rails