I get this error in Rails 2.3.9 but not in 2.3.8. I didn't changed any code. Did I missed anything?
ActionController::InvalidAuthenticityToken in SessionsController#create ActionController::InvalidAuthenticityToken
Thanks :)
Here are the added details.
Request
Parameters:
{"commit"=>"Login",
"authenticity_token"=>"A9A4+sCsA/81FFoXJEUNziQYhgQ38pceGN2i7MUQbQY=",
"password"=>"r3dp0rt"}
Here's the code in the application controller
class ApplicationController < ActionController::Base
helper :all # include all helpers, all the time
protect_from_forgery :se开发者_高级运维cret => "r3dp0rtP@$$", :digest => "MD5" # See ActionController::RequestForgeryProtection for details
Here's the code from my session create controller
def create
session[:password] = params[:password]
flash[:notice] = "Sucessfully logged in"
redirect_to "/login"
end
and lastly here's the code from my simple login view
<div id="placeholder">
<% form_tag :action => "create" do %>
<p>
<%= label_tag "This will enable administrative features for the site." %><br>
<%= password_field_tag "password" %>
</p>
<br>
<p>
<%= submit_tag "Login" %>
</p>
<% end %>
</div>
There's a bug in the 2.3.9. It prevents to set the session ID when using an activerecord or memcache session store. See this rails ticket. You can fix it by using the Mislav's patch at http://gist.github.com/570149. You'll have to create and paste the code in config/initializers/sessions_patch.rb. Or you can run the following command in your project root path:
wget http://gist.github.com/570149.txt -O config/initializers/sessions_patch.rb
Finally don't forget to restart your server (and a maybe issue a rake db:sessions:clear).
I don't have enough points to leave as a comment to the accepted answer so I will add this as an answer. The patch does work but just be careful to name it sessions_patch.rb so it will be ordered alphabetically AFTER session_store.rb. As I found out the hard way (by mistakenly naming the patch session_patch.rb, the order of the initializers matters and the patch won't work if it is loaded before your key and secret are set in session_store.rb. Hopefully this saves someone some time.
Have you tried clearing the browsing data of your browser? Most likely it's still sending the old AuthenticityToken.
![Interactive visualization of a graph in python [closed]](https://www.devze.com/res/2023/04-10/09/92d32fe8c0d22fb96bd6f6e8b7d1f457.gif)
加载中,请稍侯......
精彩评论