Devise: Can't verify CSRF token authenticity

Can you please provide a sample application that reproduces the error?

I am having the same problem on development. I'm using Rails 5.0.0rc1 for what that's worth. Ruby 2.3.0.

Able to reproduce by doing "rails new" on 5.0.0rc1, then adding devise to the Gemfile, bundling, and doing "rails g devise:install" and "rails g devise User". Migrate, add one controller with just an index, add my "before_filter :authenticate_user!" and try registering with devise.

Simple boilerplate app is attached. If I just run "rails server" and attempt to sign up for an account I get an error.

Started POST "/users" for ::1 at 2016-05-09 16:52:38 -0500
Processing by Devise::RegistrationsController#create as HTML
  Parameters: {"utf8"=>"✓", "authenticity_token"=>"G4bysMTzkaIdHWaJpMNSYcDXICwxQir4ZpZO3ZetfKp5f045J9GHr0gtAdST23akaGPBxdI9ufCI0qMySXMuFg==", "user"=>{"email"=>"[email protected]", "password"=>"[FILTERED]", "password_confirmation"=>"[FILTERED]"}, "commit"=>"Sign up"}
Can't verify CSRF token authenticity.
Completed 422 Unprocessable Entity in 2ms (ActiveRecord: 0.0ms)



ActionController::InvalidAuthenticityToken (ActionController::InvalidAuthenticityToken):

actionpack (5.0.0.rc1) lib/action_controller/metal/request_forgery_protection.rb:195:in `handle_unverified_request'
actionpack (5.0.0.rc1) lib/action_controller/metal/request_forgery_protection.rb:223:in `handle_unverified_request'
devise (4.1.0) lib/devise/controllers/helpers.rb:253:in `handle_unverified_request'
actionpack (5.0.0.rc1) lib/action_controller/metal/request_forgery_protection.rb:218:in `verify_authenticity_token'
activesupport (5.0.0.rc1) lib/active_support/callbacks.rb:382:in `block in make_lambda'
activesupport (5.0.0.rc1) lib/active_support/callbacks.rb:169:in `block (2 levels) in halting'
actionpack (5.0.0.rc1) lib/abstract_controller/callbacks.rb:12:in `block (2 levels) in <module:Callbacks>'
activesupport (5.0.0.rc1) lib/active_support/callbacks.rb:170:in `block in halting'
activesupport (5.0.0.rc1) lib/active_support/callbacks.rb:454:in `block in call'
activesupport (5.0.0.rc1) lib/active_support/callbacks.rb:454:in `each'
activesupport (5.0.0.rc1) lib/active_support/callbacks.rb:454:in `call'
activesupport (5.0.0.rc1) lib/active_support/callbacks.rb:101:in `__run_callbacks__'
activesupport (5.0.0.rc1) lib/active_support/callbacks.rb:750:in `_run_process_action_callbacks'
activesupport (5.0.0.rc1) lib/active_support/callbacks.rb:90:in `run_callbacks'
actionpack (5.0.0.rc1) lib/abstract_controller/callbacks.rb:19:in `process_action'
actionpack (5.0.0.rc1) lib/action_controller/metal/rescue.rb:31:in `process_action'
actionpack (5.0.0.rc1) lib/action_controller/metal/instrumentation.rb:32:in `block in process_action'
activesupport (5.0.0.rc1) lib/active_support/notifications.rb:164:in `block in instrument'
activesupport (5.0.0.rc1) lib/active_support/notifications/instrumenter.rb:21:in `instrument'
activesupport (5.0.0.rc1) lib/active_support/notifications.rb:164:in `instrument'
actionpack (5.0.0.rc1) lib/action_controller/metal/instrumentation.rb:30:in `process_action'
actionpack (5.0.0.rc1) lib/action_controller/metal/params_wrapper.rb:248:in `process_action'
activerecord (5.0.0.rc1) lib/active_record/railties/controller_runtime.rb:18:in `process_action'
actionpack (5.0.0.rc1) lib/abstract_controller/base.rb:126:in `process'

devise_test.zip

Actually, as soon as I posted this, I think I may have found the culprit...not devise...

On a lark I tried in a different browser (Safari) and it worked fine. Went back to Chrome and started disabling things...tracked it down to a Chrome plugin "Allow-Control-Allow-Origin: *". Had been using this for debugging a separate project. Removing this plugin solved my problem and now everything behaves as it ought to.

Not sure if this could be the same / similar solution for @maxrosecollins ?

I've been tracking down a similar bug for an app running Rails 4.2.6/ruby2.3.1. The issue for me was caused by a trailing - in the app's subdomain.

In this case, users can choose their own account subdomain, e.g my-account.webapp.com. In testing, an account was created with a trailing space, which got converted into a hyphen, my-app-.webapp.com

Safari would not store any cookies on this subdomain (it didn't seem to be an issue in Chrome). Removing the trailing hyphen fixed it.

May be an unrelated coincidence, but it may be worth checking your app's subdomain on Heroku, and using the browser dev tools to check that a cookie is being set for the domain.

Possibly related: https://github.com/rails/rails/issues/21948

I encountered this message while trying to upgrade an app to Rails 5. In my case I needed to replace protect_from_forgery with protect_from_forgery prepend: true as mentioned in the Rails 5 upgrade guide. Just thought I'd mention it in case someone else encounters this.

@boone thank you!

@boone were you able to figure out why it doesn't work with the default?

@killthekitten I moved on to other projects and never investigated it further, sorry!

@boone thank you! It's for me too!

Seems it's a limitless source of errors, could be related not to devise but to the app-specific JS:
https://github.com/rails/rails/issues/21948
https://github.com/rails/rails/pull/27689

Add this in the layout
<%= csrf_meta_tags %>

Am having this issues with rails 6 API, works fine locally but throws errors on heroku

@gathuku We just solved our Heroku issues with this annoying issue. It would only happen when the Heroku dyno was out of memory. A fresh boot of the server used 95% of the 512MB. After a bunch of successful requests memory would go over 100% and it would only throw Can't verify CSRF token authenticity and would never work again until restarted and the memory went under 100%. Turns out the solution is to pay for bigger servers. Never happened in production because those were already bigger. Rails 5.2.3 and ruby 2.4.2.