You are not logged in. Please login or register.
Rails Forum - Ruby on Rails Help and Discussion Forum » Other Rails Programming » Random Issue with Invalid AuthenticityToken
Greetings
I would appreciate any thoughts or ideas on the following issue:
I have a RoR application with all forms created dynamically. Unfortunately some times when you hit the back button of the browser and try to login via the Login form an error message will come with “Invalid Authenticity Token”.
Can anyone suggest what is wrong or had any similar experience before ?
Thank you!
Authenticity token errors are related to cookies.
They are either an indication that someone is trying to hack into a session or the cookie has changed/been deleted in so,me way.
Either way it amounts to the same thing, Rails sees the cookie or lack of as being invalid.
This often occurs if someone clears their browser cache before submitting a form.
In your case, I can only guess that, the session changed during some activity before you hit the back button, then when you hit the back button and go to log back in again the cookie stored in your browser no longer matches the 'old' session.
solution? The only thing I can suggest is that you provide a more intuitive interface that makes it less likely for a user to want to press the back button.
I have to say, that this is scenario that I have not really encountered before.
Greetings
thank you for your feedback ! I will check it again !
It is pretty weird as you point out since there are only a few occasions that only occurs .
Greetings
The problem arises when:
1. I logout from the app and go to login form
2. then visit another page (clicking on a link)
3. hit the Back button to return to the login form
4. try to login
I get also this message too :
---
The change you wanted was rejected.
Maybe you tried to change something you didn't have access to.
---
Here is the code for the authenticity token:
<input name="authenticity_token" type="hidden" value="Sv9m/wvBukwY8C2HF0xMnapJLcIw08HL/UyBDD8+o60=" />
Hope that helps
Well, that's an HTML 422 error.
Are you caching the cookie in some way? Maybe you have implemented some caching functionality, worth some investigation I think.
The only other thing I can suggest is that you trap the invalid authenticity token error and display something nice to the user.
Perhaps someone else has some suggestions.
AFAIK authencity token is used to protect users from cross site request forgery attacks.
I have never checked this exactly, but I think it works in the following way:
1) Every time user requests a page with a form on it, authencity token is generated
2) It is inserted into the requested form and also stored in the session
3) Every time user sends a post request, application verifies if this request contains a token that is stored in the session, if not - user gets the invalid authencity token error.
If you request a form, then go to another page with another form, authencity token in the session resets, and then if you hit back and submit the form you get that error.
You can actually avoid authencity token error by turning the forgery protection off, but it is not recommended cause it makes your users vulnerable to cross site forgery :-)
Another approach is to make user reload page when he hits back button.
bluesman
Another approach is to make user reload page when he hits back button.
Now I've thought about doing that before, obviously it's always best to provide navigation links so the user is less likely to need to press the back button but I'd be interested to know if this is possible to do?
Hi James thank you for your feedback.
I am not sure that I want to handle the Back Button and add specific javascript code for this because I guess I need to maintain it for all browser or something like that.
By the way, the error message with HTML code 422 is displayed only at the production environment the
real problem is the InvalidAuthenticityToken . 
Since, I am not sure how to fix this I am thinking of overiding all errors and redirecting the user to the login form .
That way the token will be the correct one and no error message will appear. At least until I can find a solution around it.
AFAIK authencity token is used to protect users from cross site request forgery attacks.
I have never checked this exactly, but I think it works in the following way:
1) Every time user requests a page with a form on it, authencity token is generated
2) It is inserted into the requested form and also stored in the session
3) Every time user sends a post request, application verifies if this request contains a token that is stored in the session, if not - user gets the invalid authencity token error.If you request a form, then go to another page with another form, authencity token in the session resets, and then if you hit back and submit the form you get that error.
You can actually avoid authencity token error by turning the forgery protection off, but it is not recommended cause it makes your users vulnerable to cross site forgery :-)
Another approach is to make user reload page when he hits back button.
Thank you Alex!
I dont want to deal with back button and surely I dont want to turn forgery protection off. My last solution is at the previous post 
Now I've thought about doing that before, obviously it's always best to provide navigation links so the user is less likely to need to press the back button but I'd be interested to know if this is possible to do?
It is possible and used by services that require high security level. If you log into mail.ru service and then log out and hit back, you won't be able to see the personal page that was displayed after login. Not sure if it is done with JS or some html tags. Guess there should be a lot on JS forums about this :-)
I'm not a fan of this approach either...
Last edited by bluesman.alex (2010-07-05 07:02:33)
