ActionController::InvalidAuthenticityToken in LoginController

4 views
Skip to first unread message

Double

unread,
Jan 15, 2008, 9:45:39 PM1/15/08
to Ruby on Rails: Talk
Hi,

I'm having a problem trying to get a login controller working. When I
try and post to my login controller I get the following error:

ActionController::InvalidAuthenticityToken in LoginController#login

login_controller:

class LoginController < ApplicationController
def login
case request.method
when :post
if @session['user'] = User.authenticate(@params['username'],
@params['password'])

flash['notice'] = "Login successful"
redirect_back_or_default :action => "welcome"
else
@login = @params['username']
@message = "Login unsuccessful"
redirect_to :action=> "login"
end
end
end
.....

login.html.erb:

<div id="login">
<h1>Please Login</h1>

<form method="post" action="">
<p><label for="user_login">Username</label>
<%= text_field "user", "username", :class => 'textbox', :value
=> '', :maxlength => 40 %></p>
<p><label for="user_password">Password</label>
<%= password_field "user", "password", :class =>
'textbox', :value => '', :maxlength => 40 %></p>
<p class="buttons">
<%= submit_tag 'Login', :class => 'button' %>
</p>
</form>
</div>

User.rb

class User < ActiveRecord::Base

def self.authenticate(login, pass)
User.find(:first, :conditions =>["username = ? AND password = ?",
login, sha1(pass)])
end

def change_password(pass)
update_attribute "password", self.class.sha1(pass)
end

protected

def self.sha1(pass)
Digest::SHA1.hexdigest("somedigest")
end

before_create :crypt_password

def crypt_password
write_attribute("password", self.class.sha1(password))
end

validates_length_of :login, :within => 3..40
validates_length_of :password, :within => 5..40
validates_presence_of :login, :password, :password_confirmation
validates_uniqueness_of :login, :on => :create
validates_confirmation_of :password, :on => :create
end

I have the :secret and :session_key set in the environment.rb

Does anyone have any ideas?

Jean-François Trân

unread,
Jan 15, 2008, 10:15:30 PM1/15/08
to rubyonra...@googlegroups.com
2008/1/16, Double <ddemi...@gmail.com>:

> I'm having a problem trying to get a login controller working. When I
> try and post to my login controller I get the following error:
>
> ActionController::InvalidAuthenticityToken in LoginController#login

[...]

> login.html.erb:
>
> <div id="login">
> <h1>Please Login</h1>
>
> <form method="post" action="">
> <p><label for="user_login">Username</label>
> <%= text_field "user", "username", :class => 'textbox', :value
> => '', :maxlength => 40 %></p>
> <p><label for="user_password">Password</label>
> <%= password_field "user", "password", :class =>
> 'textbox', :value => '', :maxlength => 40 %></p>
> <p class="buttons">
> <%= submit_tag 'Login', :class => 'button' %>
> </p>
> </form>
> </div>

You should use the token_tag helper in your form to provide
the secret token needed by Rails for CSRF security reasons.

-- Jean-François.

Double

unread,
Jan 15, 2008, 10:22:13 PM1/15/08
to Ruby on Rails: Talk
Are you saying that is the problem or are you making that suggestion
for simply security reasons?

On Jan 15, 10:15 pm, "Jean-François Trân" <jft...@rubyfrance.org>
wrote:
> 2008/1/16, Double <ddemich...@gmail.com>:

Double

unread,
Jan 15, 2008, 10:32:31 PM1/15/08
to Ruby on Rails: Talk
Forget it - got it. Thank you for the help. This worked like a charm.

<%= token_tag %>

Bzouchir

unread,
Jan 21, 2008, 5:33:22 AM1/21/08
to Ruby on Rails: Talk
HI I'm having that same exact problem while following "rails
solutions" book excercises.

the difference is that I'm still new to RoR that i couldn't get it to
work with <%= token_tag %>
didn't find much on the net either.

where should i add this tag and how is it used? is there any extra
params to add to it?

in my view I have:
<%= form_tag({:controller => 'user', :action => 'login'},{:id
=>"login_form"})%>
<label for="user_login">Login:</label><br />
<%= text_field :user, :login %><br />
<label for="user_login">Password:</label><br />
<%= password_field :user, :password%><br />
<%= submit_tag 'Login' %>
<% $end %>

this happened after I uncommented in environment.rb and restarted the
server
config.action_controller.session_store = :active_record_store

if it worked for you please help me out on that one.
cheers.

Reply all
Reply to author
Forward
0 new messages