Rails 4 upgrade throwing InvalidAuthenticityToken

254 views Asked by At

My application just upgraded to Rails 4 and we're starting to see random InvalidAuthenticityToken errors. I have done a bunch of investigating but not yet found a solution. Anyone know what happened and how to fix it?

Calling out things that appeared in other similar SO questions but do not apply to me:

We call protect_from_forgery with: :exception in ApplicationController, but we were doing this in Rails 3 as well and did not have this error.

I have confirmed these are normal users using the website in a standard fashion; these are not CSRF attempts.

These are not API calls, they are standard web form submissions.

The authenticity token is present in both the form (via Rails form_for or form_tag generation) and in the submitted request.

My sessions should not have an expiration set, since I do not set an expiration time and the Rails default is forever, and my users don't often log in or out (so expired tokens are unlikely, as is "had a tab open, logged into a separate tab, went back to open tag and attempted action").

The csrf_meta_tag was generating the same tokens as my forms and removing it does not help.

My users confirmed they experienced this on at minimum Firefox, Chrome and Safari.

All code is available on Github.

Possibly relatedly: if I change my development secret_key_base in secrets.yml and change my session_store.rb file to use: Rails.application.config.session_store :cookie_store, key: '_glowfic_constellation_' + Rails.env, domain: 'glowfic.com', tld_length: 2 and restart the server, I am logged out and can reliably experience this error 100% of the time when attempting to log in.

Edit calling out a couple more things:

I can't force clear all sessions because I use cookie stores, but I've already reset the secret_key_base and cookie name in production, which (hard to tell but I think) helped? But did not fix the issue.

The "possibly related" seems to be unrelated, and to have been related to the domain "glowfic.com" not supporting "localhost"; if I use the domain localhost instead, I can't reproduce locally.

0

There are 0 answers