Comments on: Sporadic InvalidAuthenticityToken for some users

By: vlod

vlod — Fri, 25 Sep 2009 05:14:36 +0000

actually this seems to be a good workaround:

http://kill-0.com/duplo/2007/07/12/rails-cookie-detection/

By: vlod

vlod — Fri, 25 Sep 2009 05:07:41 +0000

I’m also getting ActionController::InvalidAuthenticityToken when the user has turned off cookies. I’m not sure how to deal with it. I would like it to go to a page that says “please turn on your cookies”.

Any suggestions on how to do this?

Thanks for your help.

By: Dean

Dean — Thu, 24 Sep 2009 00:19:35 +0000

I just figured out what the issue was with me right as I typed that above…

In my application controller, I have a before_filter to make sure the user is logged in. This was placed below the protect_from_forgery statement. So, I’m guessing the protect_from_forgery would look at the authenticity_token from an invalid session and freak out… This was consistent.

So, I moved the before_filter ABOVE the protect_from_forgery line and now it consistently redirects to the login page when the session has been destroyed.

By: Dean

Dean — Thu, 24 Sep 2009 00:09:18 +0000

Agreed. I can consistently recreate this issue if I am sitting on a form page, delete my session out of the sessions table and then try to submit the form. Instead of my application catching the the sessions has expired with my before_filter and redirecting to the login as it SHOULD, it instead gives the InvalidAuthenticationToken error and throws a 422. It doesn’t give me the option to handle this properly…

By: Ryan Cannon

Ryan Cannon — Wed, 12 Aug 2009 01:04:23 +0000

I’ve been googling around trying to figure out this issue. My stack trace looks very similar to yours, but I know I have cookies enabled. In fact, I get this error at times when I try to *destroy* sessions.