Rails 3, protect_from_forgery and IE8 problems

Question

I have a rails app that all works fine for me in all browsers (Safari, Firefox, IE6, 7, 8 etc)

I have a new user who has a fairly locked down version of IE8 and as soon as they try to access the app, before they even get to the login page, they get a Windows Authentication prompt appear. If they try to enter the login details they have been provided it fails. I'm not really worried about it failing, as the authentication prompt shouldn't be appearing.

As soon as I remove protect_from_forgery from the ApplicationController they can access the system fine.

I've tried suggesting allowing cookies etc, but they are still getting the problem. Has anyone got any suggestions as to other things we could look

Just to add to this. The site uses a basecamp style subdomain system. Not certain if that's an issue or not.

HakonB · Accepted Answer · 2012-03-28T11:45:52.577

1

Which version of Rails are you using? Which authentication framework are you using?

I had the same behavior with Rails 3.0.3 and some earlier version of Devise. The issue I had was that in some circumstances IE8 decides to send 'Accept-Type: */*' in the HTTP header instead of a long line of supported formats. Somewhere within Rails/Devise something slipped and a HTTP authentication status was sent back.

I solved my problem by upgrading to Rails 3.0.5 and Devise 1.2.rc2.

edited Mar 28 '12 at 11:45

answered Mar 30 '11 at 15:35

HakonB

6,977
1
26
27

I'm running Rails 3.0.5 and Devise 1.1.9 – John Polling Mar 30 '11 at 16:13
Try do look at the HTTP request headers for the requests that prompt for authentication and see if it may be the same issue. I used Fiddler for inspecting the request headers. – HakonB Mar 30 '11 at 18:06
thanks for the advice. The bit I'm really struggling with it's fine for most people using IE8. It's just this one particular client. – John Polling Mar 30 '11 at 20:16
I've upgrade to Devise 1.2.1 and that seems to have resolved the issue. Now I need to fix mm-devise to work with Devise 1.2.1 :) – John Polling Mar 31 '11 at 14:05
Great. I did spend quite a bit of time and didn't qui – HakonB Mar 31 '11 at 15:30

score 0 · Answer 2 · edited May 23 '17 at 12:04

0

In case anyone else still has problems with this, I am using Rails 3.0.9 and Devise 1.2.1 and was still having this problem. My problem was that IE won't set cookies for subdomains with an underscore in them. See this answer for the details. So I changed my subdomains to use dashes and it works now.

edited May 23 '17 at 12:04

Community

1
1

answered Jun 30 '11 at 20:37

Brian Deterling

13,556
4
55
59

Rails 3, protect_from_forgery and IE8 problems

2 Answers2