You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
We've just upgraded our Errbit app from 0.6.0 to the latest version and we're finding that every POST request is throwing an exception that the CSRF token is invalid...
Example from the logs:
Processing by Devise::SessionsController#new as HTML
Parameters: {"utf8"=>"✓", "authenticity_token"=>"iyoHKsD5c68Vk0rsiOG/oaNt+jauqy/IUIYK3GVFCnRikVDd9fFntyFBS2noPlKke27qw18yHw7MPpuglIMrdg==", "user"=>{"email"=>"test@test.com", "password"=>"[FILTERED]", "remember_me"=>"0"}}
Can't verify CSRF token authenticity.
It's not clear why this is happening as the SECRET_KEY_BASE is present, and we've confirmed that the form and csrf meta tags are all present in the code... it also works fine locally and worked before the upgrade...
The session_store also doesn't specify anything about domains (and didn't before):
This commit to upgrade to Rails 5.0 https://github.com/errbit/errbit/commit/df2c0a6f8adc9190547d9c1b9ffb0a3fc20f0941?diff=split introduced Rails.application.config.action_controller.forgery_protection_origin_check = true in file config/initializers/new_framework_defaults.rb which led to this issue when using nginx as a reverse proxy and not providing sufficient headers.
To fix this, i had to pass on more nginx headers as explained here https://github.com/rails/rails/issues/22965#issuecomment-172929004
We've just upgraded our Errbit app from 0.6.0 to the latest version and we're finding that every POST request is throwing an exception that the CSRF token is invalid...
Example from the logs:
It's not clear why this is happening as the
SECRET_KEY_BASE
is present, and we've confirmed that the form and csrf meta tags are all present in the code... it also works fine locally and worked before the upgrade...The session_store also doesn't specify anything about domains (and didn't before):
What could cause this to happen as we're a bit stuck as to what to check next.
The text was updated successfully, but these errors were encountered: