DigitalOcean 1-Click Rails App - InvalidAuthenticityToken

Posted August 1, 2018 5.8k views
Ruby on RailsNginxDigitalOceanApplicationsUbuntu 16.04

[2018-08-01T00:08:14.616530 #13285] INFO – : Started POST “/login” for at 2018-08-01 00:08:14 +0000
I, [2018-08-01T00:08:14.628178 #13285] INFO – : Processing by SessionController#create as HTML
I, [2018-08-01T00:08:14.629969 #13285] INFO – : Parameters: {“utf8”=>“✓”, “authenticity_token”=>“9d2SwyolmTOHHo21SYVb7R8cGuTG8lCDpN5A/vrs1jr1IHv12yadJ+0YqH6gI4U5JQCZghF3vG0VQnhIdS7htQ==”, “session”=>{“email”=>“”, “password”=>“[FILTERED]”}, “commit”=>“Log in”}
W, [2018-08-01T00:08:14.638901 #13285] WARN – : Can’t verify CSRF token authenticity.
I, [2018-08-01T00:08:14.639597 #13285] INFO – : Completed 422 Unprocessable Entity in 9ms (ActiveRecord: 0.0ms)
F, [2018-08-01T00:08:14.642361 #13285] FATAL – :
F, [2018-08-01T00:08:14.642791 #13285] FATAL – : ActionController::InvalidAuthenticityToken (ActionController::InvalidAuthenticityToken):

This webpage works fine on my development box, which doesn’t use Nginx or Unicorn. At first I assumed that maybe I’d forgotten to populate the SECRETKEYBASE and that was causing issues, but it seems that the 1-click Rails App does in fact populate the ENV variable for SECRETKEYBASE, so I guess that isn’t the problem.

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

Submit an Answer
1 answer

Referencing this link:

I was able to solve the problem.


config.force_ssl = true


set secure: true, optionally only do this for certain Rails environments (e.g., Staging / Production

Rails.application.config.sessionstore :cookiestore, key: ’testappsession’, secure: true

I then had to also modify the nginx /rails config file, adding

proxysetheader X-Forwarded-Proto https;

to each location next to the other proxysetheader’s.