Rails 5.2 ActionController::InvalidAuthenticityToken
Question
After upgrading to Rails 5.2 I started to get an ActionController::InvalidAuthenticityToken error for all forms in my application. I have worked around this by disabling Turbolinks for all forms, which works but is not a very good solution.
Seaarching the internet, the common solution recommended seems to be to disable protect_from_forgery
skip_before_action :verify_authenticity_token, raise: false
- https://github.com/ForestAdmin/forest-rails/pull/254
- Rails 5.2 some controller actions gives InvalidAuthenticityToken
- https://github.com/nsarno/knock/issues/208
- https://github.com/rails/rails/commit/ec4a836919c021c0a5cf9ebeebb4db5e02104a55
Why would we need to disable protect_from_forgery , and doesn't that create a security hole ?
EDIT
csrf_meta_tags are in the layout.
2 answers
solution1
7 2018-06-18 09:06:13
For Rails 5.2 default_protect_from_forgery is enable by default on ActionController::Base .
You can disable it using the following syntax as explained in the PR .
config.action_controller.default_protect_from_forgery = false
Ref from the docs :
config.action_controller.default_protect_from_forgery determines whether forgery protection is added on ActionController:Base. This is false by default, but enabled when loading defaults for Rails 5.2.
solution2
1 2019-12-30 11:26:27
For rails 5.2 I had to add these to lines inside controller I had a issue:
skip_before_action :verify_authenticity_token, raise: false
skip_after_action :verify_authorized
and it worked in my case.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.