Devise: Double log in with InvalidAuthenticityToken in Devise::SessionsController#create
I have a Rails 4.1.4 app which uses Devise, both with Active Admin and directly within the App (two ActiveRecord models: AdminUser and User). I am using ActiveAdmin from Github's master, as the last gem doesn't support Rails 4 yet.
I am getting an exception when I follow these steps:
- Open the ActiveAdmin sign_in form in one browser tab (for an AdminUser), without logging in.
- Open the App sign_in page in another browser tab (for an User), also without signing in.
- Log in successfully from one of those tabs (it doesn't matter which). All seems okay
- Log in the other tab, with the right credentials. Here I get an exception, which in production shows as an HTTP 422 ("The change you wanted was rejected").
If the second log in (4) is in the Rails app, I get:
ActionController::InvalidAuthenticityToken in Devise::SessionsController#create
If it is in the Active Admin login page, I am getting the same:
ActionController::InvalidAuthenticityToken in ActiveAdmin::Devise::SessionsController#create
This doesn't happen if I open the sign in form in one part of the app, sign in, and then open the form in the other. So both sign in forms need to have been rendered before logging in to see the problem.
This doesn't happen also if both log in pages belong to the same model (for example two rendered tabs from the Rails App for the User model, or two log in forms for Active Admin), in that case you just get the flash alert 'You are already signed in.'
I see this issue both with Devise 3.2.4 and in edge (last commit 9938a5e933b7eafa4dd2c94af1dbd57e4a65325f).
It seems to be independent on the browser (tested on Chrome 35.0.1916.153, Firefox 30.0 and Safari 7.0.5, all in OS X).
The issue seems to be similar to #2968, but in the case of log in, instead of logging out.
CarlosCD
All 7 comments
There is the workaround of disabling CSRF protection for the sign_in action in the application controller. So in Rails 4+, instead of:
class ApplicationController < ActionController::Base
protect_from_forgery with: :exception
....
end
Set it as:
class ApplicationController < ActionController::Base
protect_from_forgery with: :exception
skip_before_filter :verify_authenticity_token, if: -> { controller_name == 'sessions' && action_name == 'create' }
...
end
As both the App and Active Admin sharing the same controller_name.
I understand that CSRF is not such a problem at log in.
CarlosCD
on 9 Jul 2014
Yes, once you sign in, the CSRF token changes, expiring the previous sign in page. So the behaviour you are seeing is expected indeed.
josevalim
on 11 Jul 2014
Any recommendation on a graceful way to handle this? A client just experienced this and had no idea what to do:
- It was an XHR request and it just returned that message. I think I need a way to redirect the user if they have a bad login?
gregblass
on 18 May 2017
gregblass
on 18 May 2017
@gregblass did you find a solution or cause of this? I鈥檝e just got the exact same error message with a Rails 5.1 app. I鈥檝e found a couple of places mentioning this issue (like SO) but it鈥檚 like there is no general solution to this.
andersennl
on 7 Nov 2017
Same error on macOS High Sierra / Rails 5.1.4
juliangalardi
on 23 Nov 2017
I think I am also affected by this. I am also getting InvalidAuthenticityToken emails. And for that matter I am also having problems with users resetting their password. Some issue according to rails. I have included links to the errors messages
https://pastebin.com/0LSVxAB5 Login problem
https://pastebin.com/WNRRaZty Password reset problem
lucavb
on 3 Dec 2017
Related issues
clay-f
路
3Comments
HerbertKoelman
路
3Comments
Pedroknoll
路
3Comments
Boneshj
路
3Comments
jroggeman
路
3Comments
Most helpful comment
There is the workaround of disabling CSRF protection for the sign_in action in the application controller. So in Rails 4+, instead of:
Set it as:
As both the App and Active Admin sharing the same controller_name.
I understand that CSRF is not such a problem at log in.