A Way To Premium Solutions

A Way To Premium Solutions

Actioncontroller::invalidauthenticitytoken error comes up on account of sending requests from a cached web page, utilizing a stale authentication token, a lacking csrf_meta_tags tag, and many others. Moreover, the rationale for its look in your laptop may differ relying in your code and exercise.Actioncontroller Invalidauthenticitytoken Error

But this text has coated all of it; you’ll get to learn about totally different causes of the identical error and the premium options to repair it with out a lot problem. So, begin studying to determine the areas that want fixing to eradicate the given error.

What Causes Actioncontroller::invalidauthenticitytoken Error?

The widespread causes of the actioncontroller::invalidauthenticitytoken embrace cached pages sending requests, a lacking authentication_token discipline, or a lacking csrf_meta_tags tag. Also, inadequate headers, an empty session_store.rb file, or a lacking library in this system may also result in the identical error.

– Page Caching and a Stale Authentication Token

Sending a request from a cached web page and a stale or expired authentication token can lead to the “actioncontroller::invalidauthenticitytoken React: can’t verify CSRF token authenticity.” error.

For instance, you may have a kind on a webpage that implements web page caching. If the shape is submitted throughout your second go to to the identical web page, it should generate the given error on account of a stale authentication token.

Note that the online server returns a cached web page with out going by way of your entire Rails stack which ends up in this error.

– A Missing csrf_meta_tags Tag

If your pages use the Cross-Site Request Forgery (CSRF) tokens and the csrf_meta_tags tag is lacking, you’ll obtain the identical error. The acknowledged tag has the identical objective because the hidden authentication_token fields, which is safety in opposition to CSRF assaults.A Missing Csrf Meta Tags Tag

However, the previous supplies an additional facility for the JavaScript requests that don’t belong to a kind to get the token.

– The Token Is Not Sent With AJAX Calls

If your kind is constructed utilizing helpers, the AJAX calls are despatched with an authentication token by default. However, if you happen to aren’t utilizing helpers, it is likely to be doable that the token isn’t despatched with the AJAX calls resulting in the actioncontroller::invalidauthenticitytoken Rails 6 error.

– A Misconfigured Reverse Proxy

A misconfigured reverse proxy that doesn’t have enough headers to offer sufficient details about the unique shopper request may cause the given error. Note that the backend requires the unique shopper request’s particulars for higher processing and verification of the request.

It compares the request origin in opposition to the request base_url. The worth that’s in contrast includes the host, scheme, and port, supplied within the form of three headers.

READ :  [Solved] Ubuntu16.4Install vcs2016 Error: mount.vboxsf: mounting failed with the error: Invalid argument

Unfortunately, the host, scheme, and port aren’t specified whereas utilizing a reverse proxy. It fails the comparability made by the backend and ends in the actioncontroller::invalidauthenticitytoken Rails 5 error.

– An Empty session_store.rb File

The session_store.rb file lets you set a session storage mechanism in your software. The cookie_store is the default mechanism, however you may change it to active_record_store for utilizing your database as per your choice.

Now, in case your config/initializers/session_store.rb file is empty, which suggests there isn’t a session storage mechanism specified, you’ll get the above error in your display.

– No jquery_ujs or rails_ujs in software.js

The jquery_ujs or rails_ujs script is essential for making JavaScript calls. The rails_ujs is identical jquery_ujs library rewritten in vanilla-JS. The Rails workforce did this to take away the JQuery dependency.

The core objective of each scripts is to simplify the execution of RESTful actions by way of hyperlinks and help you in operating widespread JavaScript actions simply. Therefore, if you happen to don’t have jquery_ujs or rails_ujs in your software.js file, the invalid token error received’t go away your display.

– Using Two Instances of gitlab-redis-master

If you try to make use of two situations of gitlab-redis-master, gitlab will throw an error stating that it couldn’t authenticate you from Ldapmain on account of an invalid token. Although you may have the ability to log in and navigate to 1 or two pages, you’ll be logged out and redirected to the login web page with the identical error message.

Solutions To repair the Actioncontroller::invalidauthenticitytoken Error

Some of the most effective options to repair the actioncontroller error embrace disabling the safety on cached pages, including a csrf_meta_tags tag, selecting fragment caching as an alternative of web page caching.

Also, inserting an authentication_token discipline in your kind, offering enough headers whereas utilizing a reverse proxy, and setting the session storage mechanism.

There are much more options that may be added to the listing. So, right here you go together with the descriptions of the premium options that’ll prevent hours of stress and energy.

– Choose Between Security and Page Caching

The safety makes an attempt on cached pages making requests could make issues tough for you. If you may have a kind in your web page otherwise you wish to ship some requests from an internet web page, then it will be higher to disable web page caching on such a web page to resolve the error.

However, if web page caching is your precedence, then it is best to disable safety on such pages to eliminate the error. It is as a result of safety and web page caching can interrupt web page requests.

READ :  How To Parse A JSON String In TypeScript?

To disable web page caching, you’ll must take away the cashes_page technique out of your controller. But in case you wish to disable safety, you’ll must name a way in your controller, relying in your Rails model.

For instance, you may have three actions in your controller: :present, :index, and :replace. In such a state of affairs, you may apply web page caching on :present and :index whereas skipping :replace. Plus, you may inform the controller to carry out authentication for :replace solely.

Working code for Rails 3:

caches_page: :present, :index

skip_before_filter :verify_authenticity_token, besides: [:update]

Use the next code block in Rails 4 and 5:

caches_page: :present, :index

skip_before_action :verify_authenticity_token, besides: [:update]

In Rails 6, add the under line within the config/software.rb file:

config.action_controller.allow_forgery_protection = false

– Add the csrf_meta_tags Inside Your Main Layout

Keeping in thoughts the significance of the csrf_meta_tags talked about above, it is best to add the given tag in your principal structure to eliminate the error. Remember that if you happen to don’t add it in the principle structure, you’ll want to put it on each web page that requires safety in opposition to CSRF assaults.

You can copy-paste the tag from the subsequent line to see the way it blows away your stress:

– Go for Fragment Caching

Rails supplies you with many sorts of caching, and fragment caching is certainly one of them. You can use fragment caching to exclude the a part of the web page that sends requests. It will be sure that the remainder of your web page is cached whereas part of it’s newly generated. This approach, you may carry safety, caching, and requests altogether.

For instance, you may have a number of flower names in your database. You wish to apply fragment caching to the a part of the web page that shows the flower names. Here is how you are able to do it:

<% @flowers.every do |flower| %>

<% cache flower do %>

<%= render flower %>

<% finish %>

<% finish %>

– Include a Hidden Field for an Authenticity Token

In kinds constructed with out utilizing helpers, it is best to embrace a hidden authenticity_token discipline to take away the actioncontroller::invalidauthenticitytoken Postman error. Please check with the under code block to see what the required discipline appears like:

<%= hidden_field_tag :authenticity_token, form_authenticity_token %>

If you might be working with a reverse proxy, then including the wanted headers will remedy the difficulty. The anticipated headers have been supplied under to save lots of you time.Provide Headers For More Information

READ :  Operands Could Not Be Broadcast Together With Shapes: Problem Fixed

You can copy and paste them inside your proxy configuration file to fill the void and assist the backend in evaluating request origin in opposition to request base_url. But don’t overlook to alter the server and proxy_pass values to align together with your server and software.

upstream myapp {
server unix:///path/to/puma.sock;

location / {
proxy_pass http://myapp;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Ssl on; # Optional
proxy_set_header X-Forwarded-Port $server_port;
proxy_set_header X-Forwarded-Host $host;
upstream myapp {
server unix:///path/to/puma.sock;

location / {
proxy_pass http://myapp;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Ssl on; # Optional
proxy_set_header X-Forwarded-Port $server_port;
proxy_set_header X-Forwarded-Host $host;

– Add Content To Your session_store.rb File

Specifying a session storage mechanism in your session_store.rb file may help you eradicate the given error. Also, don’t overlook to restart your server after modifying the mentioned file. It is as a result of the modifications might be utilized after you may have restarted this system.

– Have jquery_ujs or rails_ujs in software.js

If lacking, you’ll have so as to add the jquery_ujs within the software.js. Here is the right approach so as to add it:

//= require jquery

//= require jquery_ujs

However, in Rails 5.1 and onwards, including the under line of code will give you the results you want:

Note that you can’t use jquery_ujs and rails_ujs collectively. If you might be utilizing an outdated sample code that makes use of JQuery, you should use jquery_ujs. On the opposite hand, in case you are beginning with a brand new code, then it will be greatest to go for rails_ujs.

Moreover, you can too eleminate this error by utilizing solely a single occasion of the gitlab-redis-master.


The actioncontroller::invalidauthenticitytoken Rails 7 error rises on account of totally different causes, amongst which a stale token is the commonest.

However, the most effective half is that we’ve added answer based on every trigger that may assist you eleminate the error effortlessly. Here are the important thing factors that’ll make it simpler so that you can conclude the put up:

  • You shouldn’t cache a web page that sends requests.
  • Disable the safety to eradicate the invalid token error.
  • Ensure that the structure requiring a CSRF token has the csrf_meta_tags tag.
  • Add the hidden authentication_token discipline in your kind.
  • Include headers whereas utilizing a reverse proxy to keep away from the given error.

With this put up in entrance of you, the invalid token error can’t keep for lengthy in your display.


  • https://stackoverflow.com/questions/3364492/actioncontrollerinvalidauthenticitytoken
  • https://talk about.codecademy.com/t/innovation-cloud-step-16-actioncontroller-invalidauthenticitytoken/501917/5
  • https://discussion board.gitlab.com/t/frequently-get-logged-out-in-gitlab-ui-error-contains-actioncontroller-invalidauthenticitytoken/69555
  • https://stackoverflow.com/questions/9996665/rails-how-does-csrf-meta-tag-work
  • https://github.com/rails/rails/points/22965
  • https://guides.rubyonrails.org/caching_with_rails.html#fragment-caching

Leave a Reply

Your email address will not be published. Required fields are marked *