Painful experience with rails InvalidAuthenticityToken

Today I had a really painful experience with rails InvalidAuthenticityToken. It turned out not to have anything to do with rails at all and there is where the painful part come in to play.

We had an application which needed a staging environment. When everything where setup and after the first deploy to the new environment everything seemed fine at first but when we tried to login we got these fine messages:

ActionController::InvalidAuthenticityToken (ActionController::InvalidAuthenticityToken):
    /vendor/rails/actionpack/lib/action_controller/request_forgery_protection.rb:86:in `verify_authenticity_token'
    /vendor/rails/activesupport/lib/active_support/callbacks.rb:178:in `send'
    /vendor/rails/activesupport/lib/active_support/callbacks.rb:178:in `evaluate_method'
    /vendor/rails/activesupport/lib/active_support/callbacks.rb:166:in `call'
    /vendor/rails/actionpack/lib/action_controller/filters.rb:225:in `call'
    /vendor/rails/actionpack/lib/action_controller/filters.rb:629:in `run_before_filters'
    /vendor/rails/actionpack/lib/action_controller/filters.rb:615:in `call_filters'
    /vendor/rails/actionpack/lib/action_controller/filters.rb:610:in `perform_action_without_benchmark'
    /vendor/rails/actionpack/lib/action_controller/benchmarking.rb:68:in `perform_action_without_rescue'

After about two hours of troubleshooting the only problem left where that the browser did not get the cookie. We used telnet to check the headers and the cookie where there… ok, the browser is broken…. sure…

Then, finally it came to me… what if,… the hostname is broken? Broken hostname you tell me? Just for fun I changed the hostname and bada-bong bada-bing everything is working…. Now I get this creepy feeling of the big mistake I have made…

The thing is that I have worked with domains for many years and I know very well that you CANNOT have underscores in your domains. But my peanut brain do not think of subdomains as a domain-name. So we had a sub-domain with an underscore. Putting a underscore in the domainname makes Safari and some versions of Explorer not to accept cookies and that makes rails AuthenticityToken to treat me as a hacker….

As a punishment I will force myself to read RFC 1035 (

Over and out….

Posted in Hosting, Programming, Rails at March 23rd, 2009. Trackback URI: trackback Tags: , , , Written by: 
  • Rizzotto

    thanks for your take

It's past my bedtime is using WP-Gravatar