Can't validate CSRF token even though it is sent to server
I am getting the error: Unable to authenticate CSRF token
Although, when I look in the log, I see that the client has sent the token to the server.
I, [2015-05-31T16:40:28.832719 #30768] INFO -- : Parameters: {"utf8"=>"β", "authenticity_token"=>"E1GjDUm3LomswskJKg72HjJz7fQ5BOWceGwAauq5B48=", "company"=>{"work_time_start"=>"8", "work_time_end"=>"18", "time_rounding"=>"15", "weekends"=>"6,0", "overlap"=>"1", "week_start"=>"1", "currency"=>"USD", "number_format"=>"12,345.00", "date_format"=>"MM/DD/YYYY", "time_format"=>"12-hour (06:00 PM)"}, "commit"=>"Save"}
W, [2015-05-31T16:40:28.833604 #30768] WARN -- : Can't verify CSRF token authenticity
I, [2015-05-31T16:40:28.837829 #30768] INFO -- : Completed 422 Unprocessable Entity in 5ms (ActiveRecord: 0.0ms)
When I look at the HTML that was sent to the client, I see the exact same token:
In a simple way:
<input name="authenticity_token" type="hidden" value="E1GjDUm3LomswskJKg72HjJz7fQ5BOWceGwAauq5B48=" />
And also in the metadata:
<meta content="authenticity_token" name="csrf-param" />
<meta content="E1GjDUm3LomswskJKg72HjJz7fQ5BOWceGwAauq5B48=" name="csrf-token" />
Why is the server refusing the token?
Edit: I already have <% = csrf_meta_tag%> in my layout. As you can see above, the token is also sent with the post request, so the token is present in the client and sent with the request. This is also the same token that was sent by the server (see the second part of my explanation).
Edit2: Additional info: Tried this in Firefox and it works there. After that I tried with closed session in IE and it works there too. So it looks like there are cookies that are blocking something.
source to share
In my case it was forgotten rake assets:precompile
on the production server. Everything worked well in development, just not in production. Since I was not using the asset pipeline in this particular case, I missed the precompiling application.js, which of course caused turbo link issues.
source to share