Devise: ActionController::InvalidAuthenticityToken in Devise::SessionsController#destroy

Created on 21 Oct 2014  ·  7Comments  ·  Source: heartcombo/devise

Hi I've been searching all around the internet to solve this problem but can't find a solution. I am getting the following exception when I try to destroy the user session (log out as a user);

ActionController::InvalidAuthenticityToken in Devise::SessionsController#destroy

I am aware of the following issue;
https://github.com/plataformatec/devise/issues/2934

but this one seems to be different.

It is not the case of user logging out consecutively. I've tried logging in with no cookies, and I am able to log in, but each time I try to log out I am thrown that exception.

I am using Rails 4.1 and Devise 3.4 . Any form of help would be greatly appreciated. Thanks for all the great work.

picture amirothman

Most helpful comment

@amirothman @nickjj Did you add <%= csrf_meta_tags %> to your html head?

picture trantorLiu on 27 Feb 2015
👍5

All 7 comments

Please use the mailing list or StackOverflow for questions/help, where a wider community will be able to help you. We reserve the issues tracker for issues only.

josevalim picture josevalim on 22 Oct 2014

If you think this is a bug or hard to track down, you could provide a sample application that reproduces the error, but there is no guarantee we can look at it in the short term.

josevalim picture josevalim on 22 Oct 2014

in your view if you have this it tends to work: destroy_user_session_path(:authenticity_token => form_authenticity_token())

so:
<%= link_to 'Sign out', destroy_user_session_path(:authenticity_token => form_authenticity_token()), method: 'delete' %>

tabishiqbal picture tabishiqbal on 9 Dec 2014
👍2

@amirothman @nickjj Did you add <%= csrf_meta_tags %> to your html head?

trantorLiu picture trantorLiu on 27 Feb 2015
👍5

@trantorLiu Yeah.

nickjj picture nickjj on 27 Feb 2015

@trantorLiu , I forgot to add that , I feel so funny. I used a new layout and I was having issue with signout. It worked now. Thank you.

sushantbajra picture sushantbajra on 12 Jan 2016

@tabishiqbal's recommendation was required for my Rails 5.1.7 when upgrading from Ruby v2.3.8 to v2.6.5. The upgrade caused my cabybara tests that clicked the "Sign Out" button to fail.

# spec_helper.rb
config.define_derived_metadata(file_path: 
  Regexp.new('/spec/controllers/api/.*|/spec/requests/.*')) do |metadata|
    metadata[:allow_forgery_protection] = true
  end

  config.around(:each, allow_forgery_protection: true) do |example|
    original_forgery_protection = ActionController::Base.allow_forgery_protection
    ActionController::Base.allow_forgery_protection = true
    begin
      example.run
    ensure
      ActionController::Base.allow_forgery_protection = original_forgery_protection
    end
  end

Needed to change to destroy_user_session_path to destroy_user_session_path(:authenticity_token => form_authenticity_token)

jmugatu picture jmugatu on 23 Feb 2020
Was this page helpful?
0 / 5 - 0 ratings

Related issues

HerbertKoelman picture HerbertKoelman  ·  3Comments
afuno picture afuno  ·  3Comments
cheung-chifung picture cheung-chifung  ·  4Comments
lancecarlson picture lancecarlson  ·  3Comments
neohunter picture neohunter  ·  3Comments