Rails, Devise authentication, CSRF issue

by

Jimbo did an awesome job explaining the “why” behind the issue you’re running into. There are two approaches you can take to resolve the issue:

  1. (As recommended by Jimbo) Override Devise::SessionsController to return the new csrf-token:

    class SessionsController < Devise::SessionsController
  def destroy # Assumes only JSON requests
    signed_out = (Devise.sign_out_all_scopes ? sign_out : sign_out(resource_name))
    render :json => {
        'csrfParam' => request_forgery_protection_token,
        'csrfToken' => form_authenticity_token
    }
  end
end

    And create a success handler for your sign_out request on the client side (likely needs some tweaks based on your setup, e.g. GET vs DELETE):

    signOut: function() {
  var params = {
    dataType: "json",
    type: "GET",
    url: this.urlRoot + "/sign_out.json"
  };
  var self = this;
  return $.ajax(params).done(function(data) {
    self.set("csrf-token", data.csrfToken);
    self.unset("user");
  });
}

    This also assumes you’re including the CSRF token automatically with all AJAX requests with something like this:

    $(document).ajaxSend(function (e, xhr, options) {
  xhr.setRequestHeader("X-CSRF-Token", MyApp.session.get("csrf-token"));
});

  2. Much more simply, if it is appropriate for your application, you can simply override the Devise::SessionsController and override the token check with skip_before_filter :verify_authenticity_token.

More Related Contents:

  1. Profile model for Devise users?
  2. How can I redirect a user’s home (root) path based on their role using Devise?
  3. WARNING: Can’t verify CSRF token authenticity rails
  4. Share session (cookies) between subdomains in Rails?
  5. No route matches “/users/sign_out” devise rails 3
  6. rails – Devise – Handling – devise_error_messages
  7. Devise redirect after login fail
  8. devise and multiple “user” models
  9. Devise Secret Key was not set
  10. Multiple user models with Ruby On Rails and devise to have separate registration routes but one common login route
  11. Custom authentication strategy for devise
  12. Heroku/devise – Missing host to link to! Please provide :host parameter or set default_url_options[:host]
  13. Devise limit one session per user at a time
  14. How to sign in a user using Devise from a Rails console?
  15. Rails API design without disabling CSRF protection
  16. Rails 3: How to “redirect_to” in Ajax call?
  17. Devise update user without password
  18. Rails CSRF Protection + Angular.js: protect_from_forgery makes me to log out on POST
  19. How do you handle Rail’s flash with Ajax requests?
  20. Rails detect if request was AJAX
  21. Rails not reloading session on ajax post
  22. Adding extra registration fields with Devise
  23. Omniauth: callback not firing, returns failure with “invalid credentials”
  24. Setting session length with Devise
  25. Rails Devise: after_confirmation
  26. Rails devise: user_signed_in? not working
  27. API Authentication for user logged in to a Web App server
  28. Customizing Devise error messages in Rails 3?
  29. Rails 2 to Rails 3 : using link_to instead of link_to_remote (including remote and update)
  30. Rails 4.0 with Devise. Nested attributes Unpermited parameters

Leave a Comment