Invalid form authenticity token when accessing two sites behind the same domain.

Added by Ryan J almost 9 years ago


I configure Redmine with SubURIs and use a reverse proxy so I can serve a couple sites with the same SSL certificate. I access my sites via (ex):

Everything seems to work ok, but whenever I log into the second site, the next action I take on the first site gives me:

Invalid form authenticity token.

I think I have a rough idea of what's going on. I see a _redmine_session cookie for my domain, but there's only one and it uses a path of /. My guess is the same cookie is being sent to both sites and that I've missed a setting somewhere that causes the path for that cookie to be (ex:) /site1/redmine or /site2/redmine.

To configure the SubURIs I'm using Passenger with RackBaseURI. I've also configured the Host name and path setting in Redmine's admin GUI.

If I'm correct and the same cookie is being sent to both sites, what are the implications of that? What if someone else owns the second site?

Any tips?