Menu
Resolution. This error can be due to corrupted cookie in your browser. Clear your browsers cache and cookies, restart the browser and try to log in. If the error remains, the problem is that your browser has blocked any cookies from or because OCLCs Zendesk User Portal.
The authenticity token is designed so that you know your form is being submitted from your website. It is generated from the machine on which it runs with a unique identifier that only your machine can know, thus helping prevent cross-site request forgery attacks.
Rails CSRF TokenThe server generates these tokens, links them to the user session, and stores them in the database. This token is then injected into any form presented to the client as a hidden field. When the client correctly submits the form for validation, it passes the token back to the server.
I had the same issue but with pages which were page cached. Pages got buffered with a stale authenticity token and all actions using the methods post/put/delete where recognized as forgery attempts. Error (422 Unprocessable Entity) was returned to the user.
The solution for Rails 3:
Add:
skip_before_filter :verify_authenticity_token
or as "sagivo" pointed out in Rails 4 add:
skip_before_action :verify_authenticity_token
On pages which do caching.
As @toobulkeh commented this is not a vulnerability on :index, :show actions, but beware using this on :put, :post actions.
For example:
caches_page :index, :show
skip_before_filter :verify_authenticity_token, :only => [:index, :show]
Reference: http://api.rubyonrails.org/classes/ActionController/RequestForgeryProtection/ClassMethods.html
Note added by barlop- Rails 4.2 deprecated skip_before_filter in favour of skip_before_action https://guides.rubyonrails.org/4_2_release_notes.html "The *_filter family of methods have been removed from the documentation. Their usage is discouraged in favor of the *_action family of methods"
For Rails 6 (as "collimarco" pointed out) you can use skip_forgery_protection and that it is safe to use it for a REST API that doesn't use session data.
For me the cause of this issue under Rails 4 was a missing,
<%= csrf_meta_tags %>
Line in my main application layout. I had accidently deleted it when I rewrote my layout.
If this isn't in the main layout you will need it in any page that you want a CSRF token on.
There are several causes for this error, (relating to Rails 4).
1. Check <%= csrf_meta_tags %> present in page layout
2. check authenticity token is being sent with AJAX calls if using form_for helper with remote: true option.If not you can include the line <%= hidden_field_tag :authenticity_token, form_authenticity_token %> withing the form block.
3. If request is being sent from cached page, use fragment caching to exclude part of page that sends request e.g. button_to etc. otherwise token will be stale/invalid.
I would be reluctant to nullify csrf protection...
ActionController::InvalidAuthenticityToken can also be caused by a misconfigured reverse proxy. This is the case if in the stack trace, you get a line looking like Request origin does not match request base_url.
When using a reverse proxy (such as nginx) as receiver for HTTPS request and transmitting the request unencrypted to the backend (such as the Rails app), the backend (more specifically: Rack) expects some headers with more information about the original client request in order to be able to apply various processing tasks and security measures.
More details are available here: https://github.com/rails/rails/issues/22965.
TL;DR: the solution is to add some headers:
upstream myapp {
server unix:///path/to/puma.sock;
}
location / {
proxy_pass http://myapp;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Ssl on; # Optional
proxy_set_header X-Forwarded-Port $server_port;
proxy_set_header X-Forwarded-Host $host;
}
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With