Heroku/Rails/Devise: The change you wanted was rejected

Question

I'm having a problem with my Rails 4.2 app running the latest version of Devise on Heroku. I'm going to preface this by stating that I have not pushed any code changes to production in quite some time and that this issue only started recently.

When I go to log in, I receive an error saying "The change you wanted was rejected." When I view the logs, I can see that it's a problem with the CSRF token.

2015-04-04T19:52:22.430533+00:00 app[web.1]: Started POST "/users/sign_in" for 76.119.72.58 at 2015-04-04 19:52:22 +0000
2015-04-04T19:52:22.435480+00:00 app[web.1]: Completed 422 Unprocessable Entity in 1ms
2015-04-04T19:52:22.434143+00:00 app[web.1]: Processing by Devise::SessionsController#create as HTML
2015-04-04T19:52:22.434211+00:00 app[web.1]:   Parameters: {"utf8"=>"✓", "authenticity_token"=>"94uXDeV2wbb1XMfUL445zrIrbhS92pwe+9tWxkyvwtJhnZtZS3ydYOeP2grZvT/t2YMa2A2k/pA+U5X3gFXlAw==", "user"=>{"email"=>"[email protected]", "password"=>"[FILTERED]", "remember_me"=>"0"}, "commit"=>"Log in"}
2015-04-04T19:52:22.435112+00:00 app[web.1]: Can't verify CSRF token authenticity
2015-04-04T19:52:22.438522+00:00 app[web.1]:

I've been scouring StackOverflow for answers and have tried everything I can think of. I've tried a few different things so far:

1. I added this line to my session_store.rb thinking that it might be an issue with the cookies being mixed between development and production environments. Rails.application.config.session_store :cookie_store, key: "_abhnation_session_#{Rails.env}"

2. I do NOT have the rails-api gem, which some discussions suggested might be the culprit.

I've also noticed that the problem is strictly with Firefox and is not environment-specific. It occurs in development, test, and production. I've only been able to get around it in test by stubbing sessions.

I can't figure out what caused this to happen. I have not pushed any changes to my public-facing production environment in a few months.

Here is the code link: http://github.com/danielbonnell/abhnation-rails Here is the live site: http://abhnation.herokuapp.com/

Answer 1

Turns out the issue (at least for me) was being caused by the Blur / DoNotTrackPlus extension for Firefox. I had previously disabled it, but that had no effect. When I removed it, however, the problem went away.

Hope this helps someone in the future.

Answer 2

This turned out to be a problem with Cloudflare for me. I missed the following log line when reviewing the error:

HTTP Origin header (https://test-app.my.app) didn't match request.base_url (http://test-app.my.app)

I had the Flexible SSL mode enabled for my domain. This needs to be set to Full SSL to ensure that https:// is forced when Cloudflare communicates with your app.

Answer 3

Update the setting to allow for cookies in the iOS Safari browser.

I had the same message on my iOS iPhone Safari, however once I allowed cookies for IOS safari, it solved the problem.

Answer 4

You can also check your cookie domain - make sure it's set to the correct *.herokuapp.com domain.