Getting ActionController::InvalidAuthenticityToken (ActionController::InvalidAuthenticityToken) error for devise sign in and sign up

Question

I know there are so many posts related to this error but still...

I am getting following error while sign in / sign up for devise. (2 days back it is working fine able to sing in / up.)

Feb 02 22:16:12 myapp app/web.1:  Processing by Devise::SessionsController#create as HTML 
Feb 02 22:16:12 myapp app/web.1:    Parameters: {"utf8"=>"✓", "authenticity_token"=>"d0R529vsmCovMKZk1RC9ioxfVHivvVGKxPFvNkEUqVId08qPMDRN0lu9yULIAaTJR+p1oOXyg8QsE+PdZx4CHg==", "user"=>{"app_name"=>"tempo", "email"=>"xyz@vision.com", "password"=>"[FILTERED]"}, "commit"=>"submit"} 
Feb 02 22:16:12 myapp app/web.1:  Can't verify CSRF token authenticity 
Feb 02 22:16:12 myapp app/web.1:  ActionController::InvalidAuthenticityToken (ActionController::InvalidAuthenticityToken): 
Feb 02 22:16:12 myapp app/web.1:    vendor/bundle/ruby/2.2.0/gems/actionpack-4.2.1/lib/action_controller/metal/request_forgery_protection.rb:181:in `handle_unverified_request' 
Feb 02 22:16:12 myapp app/web.1:    vendor/bundle/ruby/2.2.0/gems/actionpack-4.2.1/lib/action_controller/metal/request_forgery_protection.rb:209:in `handle_unverified_request' 
Feb 02 22:16:12 myapp app/web.1:    vendor/bundle/ruby/2.2.0/gems/devise-3.5.6/lib/devise/controllers/helpers.rb:257:in `handle_unverified_request' 
Feb 02 22:16:12 myapp app/web.1:    vendor/bundle/ruby/2.2.0/gems/actionpack-4.2.1/lib/action_controller/metal/request_forgery_protection.rb:204:in `verify_authenticity_token'

I am getting this error for the production application which is hosted on the Heroku.

I have a staging app (Which is also hosted on the heroku and have same code base) and it is working fine.

I am able to login and sign up on it.

I have referred the following links but getting the same issue

Rails facebook app returns 422 " the change u wanted was rejected" error

devise user sign_in gives authentication error for CSRF token authenticity token

rails - "WARNING: Can't verify CSRF token authenticity" for json devise requests

https://github.com/plataformatec/devise/issues/2734

I am using rails 4 for the same.

EDIT

I have tired following solutions

Removed protect_from_forgery from the application controller
Checked csrf_meta_tags present or not in the layout and it is present.
Also checked authenticity_token from the form. You can find my submitted form details in the log trace.
Added following in application controller

skip_before_filter :verify_authenticity_token, if: :devise_controller?

It is the network issue. Our network administrator made few changes in the firewall that's why it caused the issue. It also affect on the other sites — shrikant1712, Feb 03 '16 at 10:14

Andrew Hendrie · Answer 1 · 2016-02-03T08:21:40.013

1

This could be a couple of things...

1. You forgot to add the <%= csrf_meta_tags %> inside your layout file

<!DOCTYPE html>
<html>
  <head>
    <title>Sample</title>
    <%= stylesheet_link_tag "application", media: "all", "data-turbolinks-track" => true %>
    <%= javascript_include_tag "application", "data-turbolinks-track" => true %>
    <%= csrf_meta_tags %>
  </head>
  <body>  
    <%= yield %>
  </body>
</html>

2. You need to set protect_from_forgery to the following:

Simply declaring protect_from_forgery without a :with argument will utilize :null_session by default:

protect_from_forgery # Same as above

3. The author of Devise suggests disabling protect_from_forgery on the particular controller action that's raising this exception:

# app/controllers/users/registrations_controller.rb
class RegistrationsController < Devise::RegistrationsController
  skip_before_filter :verify_authenticity_token, :only => :create
end

4. You need to add the following line to your form

<%= hidden_field_tag :authenticity_token, form_authenticity_token -%>

edited Feb 03 '16 at 08:21

answered Feb 03 '16 at 08:08

Andrew Hendrie

6,205
4
40
71

I already have `csrf_meta_tags` in my layout and also have `protect_from_forgery` in my application controller. – shrikant1712 Feb 03 '16 at 08:10
are you using a `:with` along with protect_from_forgery? – Andrew Hendrie Feb 03 '16 at 08:13
I have tried this way `skip_before_filter :verify_authenticity_token, if: :devise_controller?` but getting same error – shrikant1712 Feb 03 '16 at 08:14
does your form have a hidden_field_tag :authenticity_token? (edited answer) – Andrew Hendrie Feb 03 '16 at 08:22
No, But I am using form_for which provides the by default `hidden field` for the authenticity_token. – shrikant1712 Feb 03 '16 at 08:25
I have updated my question along with log trace. Please have a look – shrikant1712 Feb 03 '16 at 08:30
Thanks for your reply. Finally debugged the issue. It is the network issue. Our network administrator made few changes in the firewall that's why it caused the issue. It also affect on the other sites. :) – shrikant1712 Feb 03 '16 at 10:13
@shrikant1712 can you explain what happen to your network? – wiwit Aug 08 '22 at 02:32

score 1 · Accepted Answer · answered Feb 03 '16 at 10:15

1

It is the network issue. Our network administrator made few changes in the firewall that's why it caused the issue. It also affect on the other sites

answered Feb 03 '16 at 10:15

shrikant1712

4,336
1
24
42

2

Can you elaborate? It would be very helpful for me and a lot of people that are experiencing the same issue – fenec Jan 31 '17 at 15:25
how to reslove this??? – wiwit Aug 08 '22 at 02:31
kindly explain what happens. we have an identical issue. I don't change any of my code. then suddenly got an error. – wiwit Aug 08 '22 at 02:36

Getting ActionController::InvalidAuthenticityToken (ActionController::InvalidAuthenticityToken) error for devise sign in and sign up

2 Answers2