Hi there,

I have my first Rails app running and I regularly get the following
“logged_exception” error message:

“ActionController::InvalidAuthenticityToken”

Has anybody an idea what might cause this problem? Could it somehow be a
“time out” error (like an “AuthenticityToken” which might expire after a
certain time, or something along those lines)?

Any idea how that error could be prevented from occurring?

The “backtrace” always starts like this:

=================
/usr/lib/ruby/gems/1.8/gems/actionpack-2.3.3/lib/action_controller/request_forgery_protection.rb:79:in
`verify_authenticity_token’

/usr/lib/ruby/gems/1.8/gems/activesupport-2.3.3/lib/active_support/callbacks.rb:178:in
`send’

/usr/lib/ruby/gems/1.8/gems/activesupport-2.3.3/lib/active_support/callbacks.rb:178:in
`evaluate_method’

/usr/lib/ruby/gems/1.8/gems/activesupport-2.3.3/lib/active_support/callbacks.rb:166:in
`call’
…

Thanks for any help with this!
Tom

The Authenticity Token is a value that is inserted in to forms (when
using
the form_for helper) that is then checked when the submit request is
sent.
It helps prevent CSRF attacks.

What is likely happening is that you’re generating your own form and not
including the token (which you can do by inserting a hidden field and
using
the authenticity_token helper).

You can learn more about CSRF and Rails’ protection at:

Cheers,

Andy

–
Andy J.
http://andyjeffries.co.uk/ #rubyonrails #mysql #jquery
Registered address: 64 Sish Lane, Stevenage, Herts, SG1 3LS
Company number: 5452840

Yeah, Andy is right. Why don’t you send us the code that generates these
error requests? I have seen this error in some Ajax components like
autocomplete. They create a form but do not send the token.

I post this into my blog:
http://blogdomario.wordpress.com/2009/05/29/autocomplete-versus-rails-2-x/

2010/2/22 Andy J. [email protected]

Cross-site request forgery - Wikipedia
Registered address: 64 Sish Lane, Stevenage, Herts, SG1 3LS

“ActionController::InvalidAuthenticityToken”

–
You received this message because you are subscribed to the Google G.
“Ruby on Rails: Talk” group.
To post to this group, send email to [email protected].
To unsubscribe from this group, send email to
[email protected][email protected]
.
For more options, visit this group at
http://groups.google.com/group/rubyonrails-talk?hl=en.

–
Mário Sérgio Coelho Marroquim

http://www.muraldeideias.com.br

Thanks for your hints…

Well, the code is actually the following:

<%= check_box_tag ‘applicationfile_verified’,
nil,
applicationfile.verified,
{ :onclick => “#{remote_function(:url => {
:controller =>
‘applicationfiles’,
:action => ‘verify’,
:id => applicationfile.id })}”
} %>

…which results in the following source…

And since the source includes…

" data:'authenticity_token=' + encodeURIComponent('xV3Ayw...9Nnjs=') 

"

…it would mean the Authenticity Token is there and OK, right?

It could also be caused by users with cookies disabled in the browser,
incorrect protect_from_forgery settings, or caching of authenticity
tokens.

Have you cached your view by any chance? That would mean that the
authenticity_token in the view is stored in a cached file and not really
dynamic?

Cheers,
Aditya

Tom Ha wrote:

Hi there,

I have my first Rails app running and I regularly get the following
“logged_exception” error message:

“ActionController::InvalidAuthenticityToken”

Has anybody an idea what might cause this problem? Could it somehow be a
“time out” error (like an “AuthenticityToken” which might expire after a
certain time, or something along those lines)?

Any idea how that error could be prevented from occurring?

The “backtrace” always starts like this:

=================
/usr/lib/ruby/gems/1.8/gems/actionpack-2.3.3/lib/action_controller/request_forgery_protection.rb:79:in
`verify_authenticity_token’

/usr/lib/ruby/gems/1.8/gems/activesupport-2.3.3/lib/active_support/callbacks.rb:178:in
`send’

/usr/lib/ruby/gems/1.8/gems/activesupport-2.3.3/lib/active_support/callbacks.rb:178:in
`evaluate_method’

/usr/lib/ruby/gems/1.8/gems/activesupport-2.3.3/lib/active_support/callbacks.rb:166:in
`call’
…

Thanks for any help with this!
Tom

Seems fine to me!

2010/2/23 Tom Ha [email protected]

                                     :action => 'verify',

type=“checkbox”>

You received this message because you are subscribed to the Google G.
“Ruby on Rails: Talk” group.
To post to this group, send email to [email protected].
To unsubscribe from this group, send email to
[email protected][email protected]
.
For more options, visit this group at
http://groups.google.com/group/rubyonrails-talk?hl=en.

–
Mário Sérgio Coelho Marroquim

http://www.muraldeideias.com.br

Only sometimes…

Maybe due to bots…?

Does it always do it or only sometimes?

On 14 May 2010, at 18:09, Tom Ha wrote:

Only sometimes…

Maybe due to bots…?

We’ve had it happen on random occasions while using the RESTful
authentication plugin after upgrading Rails. I remember reading a
ticket issue somewhere about it and iirc it has to do with something
funky in reset_session. But since we had the need for Rack-based
authentication as well as some other features, we switched to Devise
and have had no error reports ever since.

Best regards

Peter De Berdt

I can confirm that I use the RESTful authentication plugin, too.

Thanks for your input!