Topic: InvalidAuthenticityToken

I'm getting to grips with the restful authentication plugin.

I've just added sessions to the database, and I've also had to put in the protect_from_forgery string into appliction.rb

Now, when the user signs out, then signs back in, I get the following error:

ActionController::InvalidAuthenticityToken in SessionsController#create

The request params are:

"commit"=>"Sign in"}

I'm assuming that the authenticity token is stale after the logout.  How can I reset this?


Re: InvalidAuthenticityToken

Did you ever get a response to this?  I'm having similar troubles.

Re: InvalidAuthenticityToken

reset_session might work.

Re: InvalidAuthenticityToken

I'm having the same issue. It only occurs when a user logs out and directly logs back in. What seems to be the problem is that the generated login form has the old authenticity token in it, rather than the new one.

reset_session doesn't fix this, either. Any ideas?

Re: InvalidAuthenticityToken

Hi there,
seems, that deleting the cookie is the solution. Even though the session data may be stored on server side in the database, the user-requests has to be authentificated nevertheless. Thus at least the session-securety-key is stored at the client side in a cookie.
I solved the problem by using
"cookies.delete :user_id"
at logout.
Including this method call at login will make sure that no old cookies are interferring with the actual session.

Re: InvalidAuthenticityToken

How exactly did you implement this?  I seem to be having the same problem. I'm seeing lots of invalid authenticity token errors in my logs on requests dealing with user accounts (login and new user registration) but can't seem to replicate this on my side.

I tried adding something to reset the session on logout, seems to work locally, but since I can't replicate the error, I'm not sure.  Still seeing the errors in my production log.

I found this post while reading this article: … ter-deploy

Though they solved it by using passenger, which I am already using...

Last edited by Hamoth (2010-06-04 17:53:16)

High-Tech Creative Services

Re: InvalidAuthenticityToken


Are you in an iframe?  IE6 and Safari famously don't let you set cookies
in an iframe.  Rails' csrf stuff then bites the dust. … 28118.html

My App IS in an iframe. 

This is the problem I was having.

High-Tech Creative Services