I'm having a problem with my Rails 4.2 app running the latest version of Devise on Heroku. I'm going to preface this by stating that I have not pushed any code changes to production in quite some time and that this issue only started recently.
When I go to log in, I receive an error saying "The change you wanted was rejected." When I view the logs, I can see that it's a problem with the CSRF token.
2015-04-04T19:52:22.430533+00:00 app[web.1]: Started POST "/users/sign_in" for 76.119.72.58 at 2015-04-04 19:52:22 +0000
2015-04-04T19:52:22.435480+00:00 app[web.1]: Completed 422 Unprocessable Entity in 1ms
2015-04-04T19:52:22.434143+00:00 app[web.1]: Processing by Devise::SessionsController#create as HTML
2015-04-04T19:52:22.434211+00:00 app[web.1]: Parameters: {"utf8"=>"✓", "authenticity_token"=>"94uXDeV2wbb1XMfUL445zrIrbhS92pwe+9tWxkyvwtJhnZtZS3ydYOeP2grZvT/t2YMa2A2k/pA+U5X3gFXlAw==", "user"=>{"email"=>"[email protected]", "password"=>"[FILTERED]", "remember_me"=>"0"}, "commit"=>"Log in"}
2015-04-04T19:52:22.435112+00:00 app[web.1]: Can't verify CSRF token authenticity
2015-04-04T19:52:22.438522+00:00 app[web.1]:
I've been scouring StackOverflow for answers and have tried everything I can think of. I've tried a few different things so far:
I added this line to my session_store.rb
thinking that it might be an issue with the cookies being mixed between development and production environments.
Rails.application.config.session_store :cookie_store, key: "_abhnation_session_#{Rails.env}"
I do NOT have the rails-api
gem, which some discussions suggested might be the culprit.
I've also noticed that the problem is strictly with Firefox and is not environment-specific. It occurs in development, test, and production. I've only been able to get around it in test by stubbing sessions.
I can't figure out what caused this to happen. I have not pushed any changes to my public-facing production environment in a few months.
Here is the code link: http://github.com/danielbonnell/abhnation-rails Here is the live site: http://abhnation.herokuapp.com/
Turns out the issue (at least for me) was being caused by the Blur / DoNotTrackPlus extension for Firefox. I had previously disabled it, but that had no effect. When I removed it, however, the problem went away.
Hope this helps someone in the future.
This turned out to be a problem with Cloudflare for me. I missed the following log line when reviewing the error:
HTTP Origin header (https://test-app.my.app) didn't match request.base_url (http://test-app.my.app)
I had the Flexible SSL mode enabled for my domain. This needs to be set to Full SSL to ensure that https://
is forced when Cloudflare communicates with your app.
Update the setting to allow for cookies in the iOS Safari browser.
I had the same message on my iOS iPhone Safari, however once I allowed cookies for IOS safari, it solved the problem.
You can also check your cookie domain - make sure it's set to the correct *.herokuapp.com domain.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With