This app works fine in localhost, but fails when deployed to Heroku.
When I try to login I get this error in logs
Error R14 (Memory quota exceeded)
Started POST "/users/sign_in?locale=en" for 115.31.132.11 at 2022-07-04 15:19:04 +0000
Processing by Users::SessionsController#create as HTML
Parameters: {"authenticity_token"=>"gLidqKg8CS6bv....", "user"=>{"email"=>"[email protected]", "password"=>"[FILTERED]", "remember_me"=>"1"}, "commit"=>"Log in", "locale"=>"en"}
Can't verify CSRF token authenticity.
Started GET "/profiles?locale=en" for XXX.XXX.XXX.XXX at 2022-07-04 16:40:43 +0000
Processing by ProfilesController#index as HTML
Parameters: {"locale"=>"en"}
Completed 401 Unauthorized in 84ms (Allocations: 1320)
Started GET "/users/sign_in?locale=en" for X.X.X.X at 2022-07-04 16:40:43 +0000
Processing by Users::SessionsController#new as HTML
The CSFT metadata is present as you can see it's submitted in the POST request. I am using Heroku with SSL certificates. No Cloudflare.
app/controllers/application_controller.rb
class ApplicationController < ActionController::Base
protect_from_forgery
config/environments/production.rb
config.force_ssl = false
config.cache_store = :redis_cache_store, {
namespace: 'cache',
expires_in: 24.hours,
driver: :hiredis,
url: ENV.fetch("REDIS_CACHE_URL") { "redis://localhost:6379/1" },
}
config.session_store :cookie_store, expire_after: 1.year, domain: :all
Heroku ENV SECRET_TOKEN is present.
EDIT: I found the problem is domain: all. I need to have domain: :all because I need to share sessions across subdomains. (fr.dashboard.example.com, es.dashboard.example.com etc..)
config.session_store :cookie_store, expire_after: 1.year, domain: :all
I solved changing
domain: :all
to
domain: '.example.com'