Rails : Heroku : Production ActionController :: InvalidAuthenticityToken


So I’m not sure if this is 100% causing it but I was able to replicate the error

To reproduce:
1) Open two browser windows of the same browser type (ie. 2 chrome windows)
2) Go to the login page in both windows
3) Login on one of the windows and then logout
4) Login on the other browser window and you’ll see the error

Logging out updates the csrf token but if the other login page isn’t refreshed it doesn’t get the updated token. Shouldn’t devise be handling this situation gracefully?

This is where it errors:

        def handle_unverified_request
          raise ActionController::InvalidAuthenticityToken


protect_from_forgery with: :exception

getting rid of the with: :exception prevents the exception from being thrown and forces the login page to refresh so I guess that solves that problem. We’ll see if that resolves the issues w/ users trying to log in during a deploy.


I have my production and staging in heroku. staging.rb and production.rb inconfig/environments are exact copies. However, I could replicate the error in production but not instaging.



Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s