Search code examples
ruby-on-railsherokudevisecsrf

Heroku/Rails/Devise: The change you wanted was rejected

I'm having a problem with my Rails 4.2 app running the latest version of Devise on Heroku. I'm going to preface this by stating that I have not pushed any code changes to production in quite some time and that this issue only started recently.

When I go to log in, I receive an error saying "The change you wanted was rejected." When I view the logs, I can see that it's a problem with the CSRF token.

2015-04-04T19:52:22.430533+00:00 app[web.1]: Started POST "/users/sign_in" for 76.119.72.58 at 2015-04-04 19:52:22 +0000
2015-04-04T19:52:22.435480+00:00 app[web.1]: Completed 422 Unprocessable Entity in 1ms
2015-04-04T19:52:22.434143+00:00 app[web.1]: Processing by Devise::SessionsController#create as HTML
2015-04-04T19:52:22.434211+00:00 app[web.1]:   Parameters: {"utf8"=>"✓", "authenticity_token"=>"94uXDeV2wbb1XMfUL445zrIrbhS92pwe+9tWxkyvwtJhnZtZS3ydYOeP2grZvT/t2YMa2A2k/pA+U5X3gFXlAw==", "user"=>{"email"=>"[email protected]", "password"=>"[FILTERED]", "remember_me"=>"0"}, "commit"=>"Log in"}
2015-04-04T19:52:22.435112+00:00 app[web.1]: Can't verify CSRF token authenticity
2015-04-04T19:52:22.438522+00:00 app[web.1]:

I've been scouring StackOverflow for answers and have tried everything I can think of. I've tried a few different things so far:

  1. I added this line to my session_store.rb thinking that it might be an issue with the cookies being mixed between development and production environments. Rails.application.config.session_store :cookie_store, key: "_abhnation_session_#{Rails.env}"

  2. I do NOT have the rails-api gem, which some discussions suggested might be the culprit.

I've also noticed that the problem is strictly with Firefox and is not environment-specific. It occurs in development, test, and production. I've only been able to get around it in test by stubbing sessions.

I can't figure out what caused this to happen. I have not pushed any changes to my public-facing production environment in a few months.

Here is the code link: http://github.com/danielbonnell/abhnation-rails Here is the live site: http://abhnation.herokuapp.com/

Solution

  • Turns out the issue (at least for me) was being caused by the Blur / DoNotTrackPlus extension for Firefox. I had previously disabled it, but that had no effect. When I removed it, however, the problem went away.

    Hope this helps someone in the future.