addressalign-toparrow-leftarrow-rightbackbellblockcalendarcameraccwcheckchevron-downchevron-leftchevron-rightchevron-small-downchevron-small-leftchevron-small-rightchevron-small-upchevron-upcircle-with-checkcircle-with-crosscircle-with-pluscontroller-playcrossdots-three-verticaleditemptyheartexporteye-with-lineeyefacebookfolderfullheartglobegmailgooglegroupshelp-with-circleimageimagesinstagramFill 1light-bulblinklocation-pinm-swarmSearchmailmessagesminusmoremuplabelShape 3 + Rectangle 1ShapeoutlookpersonJoin Group on CardStartprice-ribbonprintShapeShapeShapeShapeImported LayersImported LayersImported Layersshieldstartickettrashtriangle-downtriangle-uptwitteruserwarningyahoo

Nash.rb Message Board › Frequent ActionController::InvalidAuthenticityToken exceptions

Frequent ActionController::InvalidAuthenticityToken exceptions

Daniel N.
user 8479725
Nashville, TN
Post #: 2
Everything I've found via Google relating to ActionController::InvalidAuthenticityTok­en relates to it being a permanent error, usually because someone manually rolled a form without including the authenticity token. But I'm getting exception emails (using exception notifier: http://agilewebdevelo...­) every few days from one of my applications that has a few hundred users.

I can reproduce the error by double clicking the submit button on any form, presumably because there is a single valid code for any form, so the second time the form is received, it fails. While writing a simple PHP framework for some older projects, I realized this would be a problem, so in that framework, I store two codes, and simply move them through like a two-entry queue (there is a little subtlety so that my code won't fail even if a user clicks more than twice). Can it be that rails expects users to only click once? What about slow connections? Or worse still, systems running in Passenger on shared hosts, where a page may take many seconds to respond after an application has been purged from memory?

Do any of your applications throw this error (assuming you use protect_from_forgery)? What happens when you double click (on an off-site installation, not running on localhost because the response time may be too quick to catch)?

Thanks for any help or discussion on this,

Eliza Brock M.
Nashville, TN
Post #: 1
Have you tried disabling the button (with javascript) after the first click?

That should solve the problem for all of the users that have javascript enabled, which should be the majority of them.

If you're using the rails helpers to build your forms, take a look at using the disable_with option in the options hash on submit_tag.
Daniel N.
user 8479725
Nashville, TN
Post #: 3
I did try that at one point, but ran into "frozen form" problems when, for instance, somebody submitted the form but then stopped the page load to change some information. They could change their information, but wouldn't be able to submit the form. I think there were other usage scenarios that also resulted in this frozen form problem.

I also think that something must incorrect because if I'm getting this percentage of failure on a system with a few hundred users, this problem would be easier to find in searches. Have you experienced this problem? Can you replicate it?

Thank You,

Daniel N.
user 8479725
Nashville, TN
Post #: 4
After reading more about the general "form double submission problem", I think the ActionController::InvalidAuthenticityTok­en exception could be used to provide an elegant server-side solution for Rails.

That is, if after form submission, information about what was sent to the user were stored, then an ActionController::InvalidAuthenticityTok­en exception could be handled by re-displaying / redirecting the user to what the user should have seen after the first submission. This would eliminate all problems related to double submission and its various workarounds: frozen form, error message display to user, double submission of forms.
Powered by mvnForum

Our Sponsors

People in this
Meetup are also in:

Sign up

Meetup members, Log in

By clicking "Sign up" or "Sign up using Facebook", you confirm that you accept our Terms of Service & Privacy Policy