A quick answer to a problem that’s not obvious but is easy to solve.
If users occasionally get a 422 error (usually when trying to logon) saying:
The change you wanted was rejected.
Maybe you tried to change something you didn’t have access to.
The server error is:
ActionController::InvalidAuthenticityToken (ActionController::InvalidAuthenticityToken)
/public/422.html (422 Unprocessable Entity)
It’s because the user has disabled cookies! It’s up to you to catch and deal with it better.
Processing SessionsController#create (for 163.1.180.9 at 2009-07-31 14:23:25) [POST]
Parameters: {"commit"=>"Sign in", "action"=>"create", "authenticity_token"=>"z8VBO3J6AgbgzrwAYTc/ZLAQIf6zwnATa3GfI8xTUEw=", "to"=>"", "controller"=>"sessions", "password"=>"[FILTERED]", "email"=>"", "remember_me"=>"1"}
ActionController::InvalidAuthenticityToken (ActionController::InvalidAuthenticityToken):
passenger (2.2.4) lib/phusion_passenger/rack/request_handler.rb:91:in `process_request'
passenger (2.2.4) lib/phusion_passenger/abstract_request_handler.rb:206:in `main_loop'
passenger (2.2.4) lib/phusion_passenger/railz/application_spawner.rb:376:in `start_request_handler'
passenger (2.2.4) lib/phusion_passenger/railz/application_spawner.rb:334:in `handle_spawn_application'
passenger (2.2.4) lib/phusion_passenger/utils.rb:182:in `safe_fork'
passenger (2.2.4) lib/phusion_passenger/railz/application_spawner.rb:332:in `handle_spawn_application'
passenger (2.2.4) lib/phusion_passenger/abstract_server.rb:351:in `__send__'
passenger (2.2.4) lib/phusion_passenger/abstract_server.rb:351:in `main_loop'
passenger (2.2.4) lib/phusion_passenger/abstract_server.rb:195:in `start_synchronously'
passenger (2.2.4) lib/phusion_passenger/abstract_server.rb:162:in `start'
passenger (2.2.4) lib/phusion_passenger/railz/application_spawner.rb:213:in `start'
passenger (2.2.4) lib/phusion_passenger/spawn_manager.rb:261:in `spawn_rails_application'
passenger (2.2.4) lib/phusion_passenger/abstract_server_collection.rb:126:in `lookup_or_add'
passenger (2.2.4) lib/phusion_passenger/spawn_manager.rb:255:in `spawn_rails_application'
passenger (2.2.4) lib/phusion_passenger/abstract_server_collection.rb:80:in `synchronize'
passenger (2.2.4) lib/phusion_passenger/abstract_server_collection.rb:79:in `synchronize'
passenger (2.2.4) lib/phusion_passenger/spawn_manager.rb:254:in `spawn_rails_application'
passenger (2.2.4) lib/phusion_passenger/spawn_manager.rb:153:in `spawn_application'
passenger (2.2.4) lib/phusion_passenger/spawn_manager.rb:286:in `handle_spawn_application'
passenger (2.2.4) lib/phusion_passenger/abstract_server.rb:351:in `__send__'
passenger (2.2.4) lib/phusion_passenger/abstract_server.rb:351:in `main_loop'
passenger (2.2.4) lib/phusion_passenger/abstract_server.rb:195:in `start_synchronously'
Rendering /public/422.html (422 Unprocessable Entity)
Hope that helps someone.
I’ve been googling around trying to figure out this issue. My stack trace looks very similar to yours, but I know I have cookies enabled. In fact, I get this error at times when I try to *destroy* sessions.
Agreed. I can consistently recreate this issue if I am sitting on a form page, delete my session out of the sessions table and then try to submit the form. Instead of my application catching the the sessions has expired with my before_filter and redirecting to the login as it SHOULD, it instead gives the InvalidAuthenticationToken error and throws a 422. It doesn’t give me the option to handle this properly…
I just figured out what the issue was with me right as I typed that above…
In my application controller, I have a before_filter to make sure the user is logged in. This was placed below the protect_from_forgery statement. So, I’m guessing the protect_from_forgery would look at the authenticity_token from an invalid session and freak out… This was consistent.
So, I moved the before_filter ABOVE the protect_from_forgery line and now it consistently redirects to the login page when the session has been destroyed.
I’m also getting ActionController::InvalidAuthenticityToken when the user has turned off cookies. I’m not sure how to deal with it. I would like it to go to a page that says “please turn on your cookies”.
Any suggestions on how to do this?
Thanks for your help.
actually this seems to be a good workaround:
http://kill-0.com/duplo/2007/07/12/rails-cookie-detection/