Defect #5230

Invalid form authenticity token.

Added by Petr Pospisil over 7 years ago. Updated about 1 year ago.

Status:NewStart date:2010-04-01
Priority:NormalDue date:
Assignee:-% Done:

0%

Category:Accounts / authentication
Target version:-
Resolution: Affected version:0.9.3

Description

Try to click on "Login" button more than once. Message "Invalid form authenticity token" will be appeared.

Redmine_01.png (35.6 KB) Petr Pospisil, 2010-07-22 14:24

Redmine_02.png (39.5 KB) Petr Pospisil, 2010-07-22 14:24


Related issues

Related to Redmine - Defect #4825: Several related bugs relating to registration, sign in an... New 2010-02-13
Related to Redmine - Defect #5051: Cookie issue when using Redmine on Firefox Closed 2010-03-11

History

#1 Updated by Petr Pospisil over 7 years ago

Or if you have opened the detail of issue for a long time and than submit your notes.

#2 Updated by Fritz brause over 7 years ago

same as #5051 ?

#3 Updated by Petr Pospisil over 7 years ago

I don't know how to confirm your suspect.

#4 Updated by Felix Schäfer over 7 years ago

Do you still experience issues with the authenticity token?

#5 Updated by Petr Pospisil over 7 years ago

Why not? What were changed? Show login dialog, fill credentials, double click to login button. It is the simplest way to simulate bahaviour. Another problem is if you have ISP with large latence (response time), e.g. slow wifi.

#6 Updated by Felix Schäfer over 7 years ago

Petr Pospisil wrote:

Why not? What were changed? Show login dialog, fill credentials, double click to login button. It is the simplest way to simulate bahaviour. Another problem is if you have ISP with large latence (response time), e.g. slow wifi.

I cannot reproduce this, as long as you can't give a clear way to reproduce (i.e. download a fresh redmine, laod the default data, don't install any plugin, reproduce), we won't be able to help you.

#7 Updated by Petr Pospisil over 7 years ago

1) attached screen shot from WWW.REDMINE.ORG
2) attached TRUNK grabbed at 2010-07-22 14:12:00 - no plugins, no mess... just trunk and to command line :"ruby server".

#8 Updated by Petr Pospisil over 7 years ago

This post above I had to submit twice - at the first case, I saw "Invalid form authenticity token"...

#9 Updated by Felix Schäfer over 7 years ago

As I said, I can't reproduce it, though I've been trying like hell to double-click on the login button. Is it maybe a problem with your browser? Have you tried it from another browser? From another machine?

#10 Updated by Petr Pospisil over 7 years ago

Sorry, it is not just my problem or browser problem. Can you see screen shots from another peoples or browers? :o). I guess no.

Login page -> fill credentials -> clicking to submit button more than once (e.g. twice, 5 times...). At the first request, the system did login. But the second request is fastest than response from first request. As I mean. And the error message occurs. It is server side problem. I know that clicking to submit button is not usual case, but it is simulating situations on slower wire. It is annoying to submit issue update this way: type some description of update, ctrl+c, click to submit, error occured, close the browser, log again, find issue, ctrl+v, submit. This behaviour is sometimes to see at a slower internet.

I guess the server expects for different token, because the user is logged in by the first request.

#11 Updated by Felix Schäfer over 7 years ago

Well, if it's a network problem, it's not something that can or should be solved on the server… Anyway, try as I may, I can't reproduce it either here, nor on 2 other redmine installations. Maybe you could try to search for the invalid authenticity token and slow connection on google with rails, because it's a mechanism of rails, not of redmine itself.

#12 Updated by Petr Pospisil over 7 years ago

You are right, it seems to be rails problem. But the result is unworking redmine.. :(.

#13 Updated by Ewan Makepeace about 7 years ago

This is a huge problem for me and is very simple to reproduce:

  1. Log out from Redmine.
  2. Go to your email
  3. Click on the links on three different issues in your email so that three tabs open in your favourite browser.
  4. Presumably each is prepopulated with your login details in the browser.
  5. On teh first tab you can click login and be redirected to the issue.
  6. On the other tabs when you hit login you get the dreaded "Invalid form authenticity token.". Now you have to login again and after you do so your redirect is lost so you close the tab and go and look for the email again.

I hate this message so much I am considering moving off Redmine (Pivot Tracker looks rather attractive?). Seriously this is a monster issue that is driving me insane.

#14 Updated by Ewan Makepeace about 7 years ago

PS Version Redmine 1.0.1.devel.4167 (MySQL)

#15 Updated by Bruno Medeiros about 7 years ago

Felix, Could you try the Ewan Makepeace case?

This bug is really annoying...

#16 Updated by Felix Schäfer about 7 years ago

Bruno Medeiros wrote:

Felix, Could you try the Ewan Makepeace case?

This bug is really annoying…

I don't need to try it, what happens to Ewan is because of a security feature of rails, and only related to the OP by the mechanism that causes it. The OP has a problem when submitting a single form more than once (multiple clicks on one and only submit button), whereas Ewan has a problem because he tries to send the "same form" multiple times from different browser tabs/windows. I'm not sure if there is a secure way to work around Ewan's problem, but please don't hijack this issue for it and open a new one instead, thanks.

Oh, and Ewan: as happy as I am about people using redmine, no one here will hold you back from using what you think is best for you.

#17 Updated by David Escala almost 7 years ago

The easiest way to reproduces is:

  1. login to http://www.redmine.org/login
  2. go back with browser button
  3. submit again the login form

To avoid the error page and redirect the user to a sensible location I have patched app/controllers/application_controller.rb in 1.0-stable:

     end
-    render_error "Invalid form authenticity token." 
+    redirect_back_or_default(home_path)
   end

The second submit is not (and should not be) processed.

#18 Updated by Bryce Nordgren over 6 years ago

I got this on my old production installation...briefly.

It occurred when I changed my password in Active Directory, and I had not yet updated the "bind pw" on my LDAP connection setup page.

hope that helps.

#19 Updated by Toshi MARUYAMA over 2 years ago

  • Related to Defect #5051: Cookie issue when using Redmine on Firefox added

#20 Updated by Maicon de Oliveira almost 2 years ago

I had the same problem and created this account just to share my solution.

tl;dr
Delete browser cookies, start again

How it happened
I was using redmine version 3.1.2 in a 32bit linux mint 15. Formated my machine with a brand new linux mint 17.2 64 bit and installed redmine version 3.1.2. Restored database and stuff, everything as usual.
When I logged, I got the same error.

How I fixed
After some time looking for the problem, figured out I had an older cookie from previous installation (using chrome sync), pressed F12, deleted all cookies and everything works fine.

Just in case someone needs it

#21 Updated by Greg T about 1 year ago

David Escala wrote:

To avoid the error page and redirect the user to a sensible location I have patched app/controllers/application_controller.rb in 1.0-stable:

- render_error "Invalid form authenticity token."
+ redirect_back_or_default(home_path)

This works great. Thanks.

Also available in: Atom PDF