Welcome to Working With Rails


Discussion Forums

Discuss all things Ruby on Rails with perhaps the web's most vibrant group of Ruby on Rails enthusiasts.
Random Issue with Invalid AuthenticityToken
6 Posts
Random Issue with Invalid AuthenticityToken


I would appreciate any thoughts or ideas on the following issue:

I have a RoR application with all forms created dynamically. Unfortunately some times when you hit the back button of the browser and try to login via the Login form an error message will come with "Invalid Authenticity Token".

Can anyone suggest what is wrong or had any similar experience before ?

Thank you!

I think it because, rails automatically call verify_authenticity_token at every POST request (not sure for PUT and friends) as before_filter. So when we create new form, using form_for, rails automatically added the token. May be the solution, you can add to your form, or you also can skip the filter by

skip_before_filter :verify_authenticity_token,
                     :only => [:your_action]

at your controller

Hi there , thank you for your feedback !

I am not so sure that this is the right approach, since this would compromise the security of the app. I want to have the Authenticity of each token but alas the problem is that something is not configured correctly.

It seems that for some reason some times it sends an invalid token or maybe the SAME ? Can this be the case ?

As mentioned, Rails will check the authenticity token for request only for state mutating requests (POST, PUT, DELETE). If you receive the InvalidAuthenticityToken exception when you use the back button the browser is likely attempting to resend a form submission request in order to display the previous page. You don't want this to happen, obviously. Even if you don't get the InvalidAuthenticityToken exception you may be attempting to mutate the state of your system in meaningless ways; for example, creating the same user more than once.

The controller actions for non-GET requests should never render views; they should always redirect to a GET request that the user can safely request multiple times. For example, if you create (POST) or edit (PUT) a resource, redirect to the show page for that resource. This way if the user uses the Refresh button to redraw a view, or the Back button to return to a view, the browser will resend the idempotent GET request.


Thank you for your feedback!

The problem arises when: 1. I logout from the app and go to login form 2. then visit another page (clicking on a link) 3. hit the Back button to return to the login form 4. try to login

I get also this message too :

... The change you wanted was rejected. Maybe you tried to change something you didn't have access to. .... Here is the code for the authenticity token:

Hope that helps

if you don't want the default message of rails (which is in public/422.html), you can always rescue the exception. Try the following:

in your application_controller.rb

rescue_from ActionController::InvalidAuthenticityToken, :with => :rescue_invalid_token

def rescue_invalid_token
  # do what you want here.
  # maybe you should redirect to the login page and add a flash saying that the session expired    
6 Posts
Login to add your message