ActionController::InvalidAuthenticityToken in Rails 5

Question

I'm getting ActionController::InvalidAuthenticityToken in rails 5. It was working correctly for a while, and then just gave up working.

# Application Controller
class ApplicationController < ActionController::Base
  protect_from_forgery with: :exception
end

I'm using the rails form helper, and passing in a form object

# price_history/new.html.erb
<%= form_for @price_history_form, url: 'price_history' do |f| %>
  ...
<% end %>

I can see the authenticity token being generated in the html, and passed into the controller..

class PriceHistoriesController < ApplicationController

I'm at a loss as to why this is happening. Any thoughts?

In what situation are you getting that error ? Or are you getting it always ? — Alexander Luna, Jun 12 '17 at 01:40
Hi @AlexanderLuna every form submission now. I've restarted the server multiple times, closed the browser, etc. — mark, Jun 12 '17 at 01:43
@mark did you get this figured out? If so, please feel free to submit your own answer or mark the correct answer so that others that run in to this same problem can more easily find the solution. — OneNeptune, Jun 12 '17 at 02:29

score 7 · Answer 1 · answered May 13 '19 at 08:56

7

An easy fix without the need of disabling Turbolinks with the Rails native UJS implementation:

$(document).on('turbolinks:load', function() {
    Rails.refreshCSRFTokens();
});

answered May 13 '19 at 08:56

Phitherek_

This should be an accepted answer for this kind of problem. Thanks @Phitherek_ ! – Alex91ckua Aug 25 '21 at 09:27

score 3 · Answer 2 · answered Jun 12 '17 at 09:55

3

For anyone else who might find this.. There were two problems.

Turbo links adding 'data-no-turbolink' => true and then the url: needed to start with a /

answered Jun 12 '17 at 09:55

mark

"url: needed to start with a /" - that was what fixed it for me! – PropertyWebBuilder Apr 22 '20 at 20:59

score 2 · Answer 3 · answered Jul 30 '18 at 10:43

Not sure about internals of the problem, but this js fixed it for me (rails 5.1 with turbolinks enabled):

$(document).on("turbolinks:load",function() {
  $.rails.refreshCSRFTokens();  
})

It updates head csrf token so it matches form csrf token. Idea from here: https://github.com/rails/jquery-ujs/issues/456

score 1 · Accepted Answer · answered Jun 12 '17 at 01:46

1

Try disabling Turbolinks. What version of Rails are you running?

For help disabling turbolinks, refer here: How to disable turbolinks in Rails 5?

answered Jun 12 '17 at 01:46

OneNeptune

4

Disabling a feature to solve a problem is hardly an answer. There needs to be a proper answer to this. – Ekkstein Jul 26 '18 at 15:15

score 1 · Answer 5 · answered Jun 12 '17 at 01:47

The issue is with the :url option. According to this Rails issue, it will raise that error when you use it:

Apparently there are 2 solutions to this problem:

1) Disable Turbolinks in your form ('data-no-turbolink' => true)

2) Remove render stream: true from the controller action rendering the link or form

5 Answers5