Devise in Rails doesn't work with HTTPs

Question

After I press the button to "sign in" on https://myapp.com/users/sign_in, the following error appears:

ActionController::InvalidAuthenticityToken in Devise::SessionsController#create

regardless of the existing user's credentials.

If I press the button to sign in on http://myapp.com/users/sign_in, the user signs in and the application seems to work smoothly, except the user cannot create posts under HTTPs too.

I want to make devise authentication work under SSL.

routes.rb:

devise_for :users

application_controller.rb:

class ApplicationController < ActionController::Base
    protect_from_forgery with: :exception
end

user.rb:

class User < ApplicationRecord
    devise :database_authenticatable, :recoverable, :rememberable, :registerable, :trackable, :validatable
end

I have the <%= csrf_meta_tags %> in the head
I cleared the cookies in browsers
I tried protect_from_forgery with: :null_session instead of protect_from_forgery with: :exception in app/controllers/application_controller.rb
I tried to put <%= hidden_field_tag :authenticity_token, form_authenticity_token %> in the form_for for new session
I tried devise_for :users, :controllers => { :sessions => "users/sessions" } in root

I tried to add

config.to_prepare { Devise::SessionsController.force_ssl }
config.to_prepare { Devise::RegistrationsController.force_ssl }
config.to_prepare { Devise::PasswordsController.force_ssl }

in config/environments/production.rb

may be this will resolve your issue http://stackoverflow.com/questions/38331496/rails-5-actioncontrollerinvalidauthenticitytoken-error — bunty, Apr 05 '17 at 12:37
this https://github.com/plataformatec/devise/wiki/How-To:-Use-SSL-(HTTPS) — bunty, Apr 05 '17 at 13:20

score 0 · Answer 1 · answered Apr 05 '17 at 12:38

0

put one line in sessions_controller

skip_before_action :verify_authenticity_token

and in routes.rb

devise_for :users, controllers:
                  {
                    sessions: 'users/sessions',
                  }

because its not require authentication_token when user login

answered Apr 05 '17 at 12:38

Mayur Kambariya

107
4

1

Mayur, where is sessions_controller? – Bexultan Myrzatay Apr 05 '17 at 12:43
I will try to create a sessions_controller.rb in controllers/users/sessions folder – Bexultan Myrzatay Apr 05 '17 at 12:44
Error: uninitialized constant Users::SessionsController It seems I need more expanded explanations from you. – Bexultan Myrzatay Apr 05 '17 at 12:48
1

sessions_controller is generated by devise itself app/controllers/users/sessios_controller.rb – Mayur Kambariya Apr 06 '17 at 06:37

score 0 · Answer 2 · answered Apr 05 '17 at 14:00

There is the workaround of disabling CSRF protection for the sign_in action in the application controller

class ApplicationController < ActionController::Base
  protect_from_forgery with: :exception
  ....
end

Set it as:

class ApplicationController < ActionController::Base
  protect_from_forgery  with: :exception
  skip_before_filter :verify_authenticity_token, if: -> { controller_name == 'sessions' && action_name == 'create' }
  ...
end

Devise in Rails doesn't work with HTTPs

2 Answers2