InvalidAuthenticityToken in Devise::SessionsContro

2020-02-23 09:24发布

站内问答 / 前沿技术
1276 7 5

I am using Devise 3.2.0 for authentication and found an issue when I do the following:

  • tab 1: sign in to app
  • tab 2: go to any page in the app
  • tab 2: sign out (success)
  • tab 1: sign out (failure - see exception below)

Exception raised:

ActionController::InvalidAuthenticityToken in Devise::SessionsController#destroy

In the development log I see:

Can't verify CSRF token authenticity

And the top three lines of the stack trace are:

ActionController::InvalidAuthenticityToken (ActionController::InvalidAuthenticityToken):
  actionpack (4.0.0) lib/action_controller/metal/request_forgery_protection.rb:163:in `handle_unverified_request'
  actionpack (4.0.0) lib/action_controller/metal/request_forgery_protection.rb:170:in `handle_unverified_request'
  devise (3.2.0) lib/devise/controllers/helpers.rb:198:in `handle_unverified_request'

How can I ensure successive sign outs don't raise an exception?

7条回答
Ridiculous、
2楼-- · 2020-02-23 09:46

If you are still having this issue as i did in Rails 5 and devise 4.4.1, in the app/controllers/application_controller.rb change 

protect_from_forgery with: :exception

to

protect_from_forgery with: :null_session

hope it helps.

查看更多
0人赞 添加讨论(0) 举报
聊天终结者
3楼-- · 2020-02-23 09:47

Here is whats happening,

When you initially signed out from tab 2, session and authenticity_token associated with the logged in user was destroyed. When you try to sign out from tab 1, Devise again tries to destroy the session using the authenticity_token which was destroyed on tab 2.

Hence, you get the error ActionController::InvalidAuthenticityToken as devise fails to authenticate using the given authenticity_token.

You only get one unique session per sign in, if that gets destroyed you'll have nothing to destroy again.

EDIT

This behavior is not provided by Devise. If you wish to implement such behavior you will have to override SessionsController.

Create a sessions_controller.rb file in app/controllers/users directory

class Users::SessionsController < Devise::SessionsController
  prepend_before_filter :verify_user, only: [:destroy]

  private
  ## This method intercepts SessionsController#destroy action 
  ## If a signed in user tries to sign out, it allows the user to sign out 
  ## If a signed out user tries to sign out again, it redirects them to sign in page
  def verify_user
    ## redirect to appropriate path
    redirect_to new_user_session_path, notice: 'You have already signed out. Please sign in again.' and return unless user_signed_in?
  end
end

Update routes.rb 

devise_for :users, :controllers => { :sessions => "users/sessions" }
查看更多
0人赞 添加讨论(0) 举报
神经病院院长
4楼-- · 2020-02-23 09:49

Kirti is exactly right. I've had this problem yesterday but with a custom authentication solution. If this is really a problem that you want to fix, you could figure out how to override Devise's signout action and add skip_before_filter :verify_authenticity_token for that action.

查看更多
0人赞 添加讨论(0) 举报
爷的心禁止访问
5楼-- · 2020-02-23 09:52

past this in the layout: <%= csrf_meta_tags %>

查看更多
0人赞 添加讨论(0) 举报
倾城 Initia
6楼-- · 2020-02-23 09:52

This bug was fixed in devise 3.3.0.

查看更多
0人赞 添加讨论(0) 举报
孤傲高冷的网名
7楼-- · 2020-02-23 09:53

You can change strategy of verify csrf token.

In rails 3 the default strategy when verify is failed, is return a null session. In rails 4 was changed the strategy in application_controller to return a exception.

I solve this, changing in my application_controller.rb

class ApplicationController < ActionController::Base
-    protect_from_forgery, with: :exception
+    protect_from_forgery

This way, use the default strategy.

查看更多
0人赞 添加讨论(0) 举报
1 2 下一页
登录 后发表回答
相关问题
查看全部
相关文章
查看全部
收藏的人(5)