WARNING: Can't verify CSRF token authenticity using devise

Question

While logging with devise i am getting WARNING: Can't verify CSRF token authenticity and 401 unauthorized message. It is redirecting back to log in page even though valid user.

I have tried many solutions but still could not figure out the problem. I checked my params and it is sending authencity token which was supposed to raise WARNING: Can't verify CSRF token authenticity issue.

This is my log file

Started POST "/admin/sign_in" for 127.0.0.1 at 2013-06-20 13:12:27 +0545
Processing by Devise::SessionsController#create as HTML
Parameters: {"utf8"=>"✓", "authenticity_token"=>"YWAa7xOf+u0ButjnaE/kz5RmL3SZKFs
x51pFbMxDqiw=", "admin"=>{"email"=>"shobhab@gmail.com", "password"=>"[FILTERED]"}}

WARNING: Can't verify CSRF token authenticity

Admin Load (0.7ms)  SELECT `admins`.* FROM `admins` WHERE `admins`.`email` = 'shobhab@gm                          ail.com' LIMIT 1
(0.3ms)  BEGIN
(0.6ms)  UPDATE `admins` SET `last_sign_in_at` = '2013-06-20 07:27:20', `current_sign_i                          n_at` = '2013-06-20 07:27:28', `sign_in_count` = 37, `updated_at` = '2013-06-20 07:27:28' WHERE `admins`.`id` =      4
(19.0ms)  COMMIT
Redirected to home page
Completed 302 Found in 179ms (ActiveRecord: 0.0ms)
Started GET "/" for 127.0.0.1 at 2013-06-20 13:12:28 +0545
Processing by Admin::DashboardController#index as HTML
Completed 401 Unauthorized in 1ms

Thanks in advance

It's the form generated by devise

<%= form_for(resource, :as => resource_name, :url => session_path(resource_name), :html => {:id => "login_    form"}) do |f| %>
     <h2>Log in to your account:</h2>
     <%= f.label :email, 'Email:' %>
     <%= f.text_field :email, :class => "login" %><br /><br />
    <%= f.label :password, 'Password:' %>
    <%= f.password_field :password, :class => "login" %><br /><br />
    <div class="pagination-right">
  <%= f.submit "sign in"%>
    <%= link_to "Forgot Password?", new_admin_password_path %>
    </div>
    <p class="hr">Don't have an account?</p>
    <p>Please contact your Admin or contact Talintel Support</p>
    <% end %>

In the hidden field it is generating authenticity token

<div style="margin:0;padding:0;display:inline">
<input type="hidden" value="✓" name="utf8">
<input type="hidden" value="6yM4gkyWC94ej1X2Wzn/l17xTpIymsx9wCEuw5aOJbQ=" name="authenticity_token">
</div>

@Logic-Seeker You should add the configuration change as an answer to the question so that others can benefit from it when they arrive here. — brainimus, Aug 14 '13 at 14:30
can you please post the configuration changes you made to solve this. I am facing similar issue here: http://stackoverflow.com/questions/19861402/devise-user-sign-in-gives-authentication-error-for-csrf-token-authenticity-token — rtcoms, Nov 11 '13 at 15:22

score 0 · Answer 1 · answered Jan 21 '14 at 00:45

I ran into this today upgrading from 2.1 to 2.2.8 and suspected this change https://github.com/plataformatec/devise/commit/415fa2ad210f37bd264e5653440413dfd90f5170

So, I put a breakpoint in devise/hooks/csrf_cleaner to find out where it was being called from. I had a before_filter that was checking current_user which was logging user in based on session and, thus, clearing the token.

HTH.

WARNING: Can't verify CSRF token authenticity using devise

1 Answers1