[Solved] Why does my Rails app think I’m CSRF?

Question

Your problem is in the User model:

before_save :create_remember_token

def create_remember_token
  self.remember_token = SecureRandom.urlsafe_base64
end

This will modify the remember_token whenever the user is saved – that is, when the user is created or updated. And when a user updates his/her profile, the remember_token is changed. This causes the login system to notice that the cookie no longer matches the user – and logs the user out.

The fix – use before_create instead of before_save.

Accepted Answer

Your problem is in the User model:

before_save :create_remember_token

def create_remember_token
  self.remember_token = SecureRandom.urlsafe_base64
end

This will modify the remember_token whenever the user is saved – that is, when the user is created or updated. And when a user updates his/her profile, the remember_token is changed. This causes the login system to notice that the cookie no longer matches the user – and logs the user out.

The fix – use before_create instead of before_save.