Home > Mobile >  Can't verify CSRF token authenticity on Heroku - Rails 7
Can't verify CSRF token authenticity on Heroku - Rails 7

Time:07-07

This app works fine in localhost, but fails when deployed to Heroku.

When I try to login I get this error in logs

Error R14 (Memory quota exceeded)
Started POST "/users/sign_in?locale=en" for 115.31.132.11 at 2022-07-04 15:19:04  0000
Processing by Users::SessionsController#create as HTML
     Parameters: {"authenticity_token"=>"gLidqKg8CS6bv....", "user"=>{"email"=>"[email protected]", "password"=>"[FILTERED]", "remember_me"=>"1"}, "commit"=>"Log in", "locale"=>"en"}
    Can't verify CSRF token authenticity.
Started GET "/profiles?locale=en" for XXX.XXX.XXX.XXX at 2022-07-04 16:40:43  0000
Processing by ProfilesController#index as HTML
Parameters: {"locale"=>"en"}
Completed 401 Unauthorized in 84ms (Allocations: 1320)
Started GET "/users/sign_in?locale=en" for X.X.X.X at 2022-07-04 16:40:43  0000
Processing by Users::SessionsController#new as HTML

The CSFT metadata is present as you can see it's submitted in the POST request. I am using Heroku with SSL certificates. No Cloudflare.

app/controllers/application_controller.rb

class ApplicationController < ActionController::Base
  protect_from_forgery

config/environments/production.rb

config.force_ssl = false 

config.cache_store = :redis_cache_store, {
    namespace: 'cache',
    expires_in: 24.hours,
    driver: :hiredis, 
    url: ENV.fetch("REDIS_CACHE_URL") { "redis://localhost:6379/1" },
  }

  config.session_store :cookie_store, expire_after: 1.year, domain: :all

Heroku ENV SECRET_TOKEN is present.


EDIT: I found the problem is domain: all. I need to have domain: :all because I need to share sessions across subdomains. (fr.dashboard.example.com, es.dashboard.example.com etc..)

config.session_store :cookie_store, expire_after: 1.year, domain: :all

CodePudding user response:

I solved changing

domain: :all

to

domain: '.example.com'
  • Related