Invalid Authenticity Token when signing in
7 views
Skip to first unread message
Shokka Tweej
May 26, 2026, 7:22:48 PM (20 hours ago) May 26
to Canvas LMS Users
DevTools - cookies, the csrf is getting named like this: ' ["_csrf_token'
What could be causing this malformation? When attempting to login i am consistently getting 'Invalid Authenticity Token' and cant continue.
This is a new install following: Production Start · instructure/canvas-lms Wiki · GitHub
Nicholas Hadley
1:08 PM (2 hours ago) 1:08 PM
to canvas-l...@googlegroups.com
Hi,
I believe this is a known Passenger/Rack compatibility issue rather than a Canvas configuration problem directly.
The clue is the malformed CSRF cookie name showing up as:
'["_csrf_token'
instead of:
'_csrf_token'
When that happens, Canvas cannot properly validate the token and Rails throws the “Invalid Authenticity Token” error during login.
This is commonly caused by Passenger versions that do not fully support Rack 3 response header formatting. We ran into something very similar previously in our own Canvas environment.
I would check the following:
bash passenger-config --version bundle exec ruby -e 'require "rack"; puts Rack.release'
If Passenger is around 6.0.18 and Rack is 3.x, that is likely the culprit.
Two possible fixes:
1. Upgrade Passenger to 6.0.19 or newer
OR
2. Temporarily pin Rack below version 3:
ruby gem "rack", "< 3"
Then run:
bash bundle install sudo systemctl restart apache2
The malformed [" prefix on cookies has been documented in Rack/Passenger compatibility reports and aligns very closely with the behavior you are seeing.
Hope that helps narrow it down, but I think this is how I fixed the issue when it happened to me last year.
Nicholas
----------------------------------------
Nicholas S. Hadley, M.Ed. (he/him)
IT Specialist & Project Coordinator | Center on Human Development
College of Education
Just like moons and like suns, with the certainty of tides, just like hopes springing high, still I’ll rise.-Maya Angelou
 |
From: canvas-l...@googlegroups.com <canvas-l...@googlegroups.com> on behalf of Shokka Tweej <shokk...@gmail.com>
Date: Tuesday, May 26, 2026 at 4:23 PM
To: Canvas LMS Users <canvas-l...@googlegroups.com>
Subject: [Canvas] Invalid Authenticity Token when signing in
Date: Tuesday, May 26, 2026 at 4:23 PM
To: Canvas LMS Users <canvas-l...@googlegroups.com>
Subject: [Canvas] Invalid Authenticity Token when signing in
You haven't previously corresponded with this sender.
Use caution with links and attachments. Learn more about this
email warning tag.
DevTools - cookies, the csrf is getting named like this: ' ["_csrf_token'
What could be causing this malformation? When attempting to login i am consistently getting 'Invalid Authenticity Token' and cant continue.
This is a new install following:
Production Start · instructure/canvas-lms Wiki · GitHub
--
---
You received this message because you are subscribed to the Google Groups "Canvas LMS Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to canvas-lms-use...@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/canvas-lms-users/b59bbf39-a4cd-401e-ab26-b15a89e6a200n%40googlegroups.com.
---
You received this message because you are subscribed to the Google Groups "Canvas LMS Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to canvas-lms-use...@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/canvas-lms-users/b59bbf39-a4cd-401e-ab26-b15a89e6a200n%40googlegroups.com.
Reply all
Reply to author
Forward
0 new messages