Ticket #72 (closed defect: fixed)

Opened 9 months ago

Last modified 8 months ago

getting a lot of ActionController::InvalidAuthenticityToken after latest update

Reported by: jon@… Owned by: jweiss
Priority: major Milestone:
Component: component1 Version:
Keywords: Cc:

Description

Seeming in random places, and most requests succeed on a reload/refresh.

Change History

Changed 9 months ago by jweiss

  • owner changed from somebody to jweiss

I'm seeing this also in development mode. The problem seems to be the Cross-Site Request Forgery Protection of Rails 2.0 that is enabled by using the Session Cookie.

Are you also seeing this in production?

Changed 9 months ago by kosmas

  • The problem occurs also in production environment.
  • The problem only occurs, when I call Webistrano for the first time after starting a session and get redirected to the login screen. After the login it doesn't occur again during the session.

Changed 9 months ago by jweiss

I will look into this but it seems to be a general Rails Cookie Session Store problem.

Changed 8 months ago by bill.marquette

Unless I'm way off-base, this seems to fix the issue for me: 

Index: app/controllers/application.rb
===================================================================
--- app/controllers/application.rb	(revision 85)
+++ app/controllers/application.rb	(working copy)
@@ -13,7 +13,7 @@
 
   # See ActionController::RequestForgeryProtection for details
   # Uncomment the :secret if you're not using the cookie session store
-  protect_from_forgery :secret => '34$$adea99357513604a2fcac57912a908e5-092:@#$8hsmne5390' 
+  protect_from_forgery :secret => WebistranoConfig[:session_secret]

The hash doesn't need to be specified either when using the default cookie session store, but on the off chance a user has changed it, this seems like a sane default.

Changed 8 months ago by bill.marquette

I must not have bounced the server after one of my changes, the auth token error came back. But seems to (really) be fixed with this: 

Index: app/controllers/application.rb
===================================================================
--- app/controllers/application.rb	(revision 85)
+++ app/controllers/application.rb	(working copy)
@@ -13,7 +13,7 @@
 
   # See ActionController::RequestForgeryProtection for details
   # Uncomment the :secret if you're not using the cookie session store
-  protect_from_forgery :secret => '34$$adea99357513604a2fcac57912a908e5-092:@#$8hsmne5390' 
+  protect_from_forgery

Changed 8 months ago by jweiss

  • status changed from new to closed
  • resolution set to fixed

applied as r86 - thanks!

Note: See TracTickets for help on using tickets.