I have ONE app which uses 2 domains.
I noticed that I am always receiving ActionController::InvalidAuthenticityToken on one domain but never on the other (second has way more traffic - maybe this has something to do with it).
Because of this App is completely useless on first domain - it is no possible to use any form (login/register etc).
The only workaround I found is to add this to ApplicationController:
protect_from_forgery if: -> { false }
When I added skip_before_action :verify_authenticity_token my app crashed on production (but not on development!).
I would like to figure out why are authenticity tokens working on one domain but not on another (they share same resources, db, etc)? Any idea?
Update: I use Cloudflare also.
I figured that Cloudflare was the root of the issue: SSL/TLS encryption was set to FLEXIBLE (default settings!) which caused a conflict with cookie policy.
Heroku/Rails returned non-secured cookies (because of non secure request) but because CloudFlare encrypted the content afterwards (SSL), browser ignored non-secure cookies.
Solution is to change SSL/TLS encryption from FLEXIBLE to FULL on Cloudflare!