We include a CSRF token on the sign-in form, and sometimes, people's browsers won't send along the CSRF token when they sign in, so the backend raises an ActionController::InvalidAuthenticityToken error, which gets rendered to the user as "The change you wanted was rejected":
A snippet of this happening in the rails logs:
I, [2016-12-07T17:45:10.930354 #13577] INFO -- : Started POST "/users/sign_in" for 151.224.77.144 at 2016-12-07 17:45:10 +0000
I, [2016-12-07T17:45:10.931636 #13577] INFO -- : Processing by Devise::SessionsController#create as HTML
I, [2016-12-07T17:45:10.931694 #13577] INFO -- : Parameters: {"utf8"=>"✓", "authenticity_token"=>"[FILTERED]", "user"=>{"login"=>"XYZ@example.com", "password"=>"[FILTERED]", "remember_me"=>"0"}, "commit"=>"Sign in"}
W, [2016-12-07T17:45:10.932277 #13577] WARN -- : Can't verify CSRF token authenticity
I, [2016-12-07T17:45:10.932588 #13577] INFO -- : Completed 422 Unprocessable Entity in 1ms (ActiveRecord: 0.0ms)
I, [2016-12-07T17:45:10.932792 #13577] INFO -- : [User Id] Request was made by user id: <not logged in>
F, [2016-12-07T17:45:10.934127 #13577] FATAL -- :
ActionController::InvalidAuthenticityToken (ActionController::InvalidAuthenticityToken):
lib/middlewares/warden_user_logger.rb:12:in `call'
lib/middlewares/fix_accept_header.rb:13:in `call'
I am able to reproduce this error by running the following javascript before logging in:
After many weeks, this user reset his cookies, and the problem went away.
In an email thread titled: "Competitor unable to login" on Dec 27, 2016.
Akash says: "I asked him. He says he checked in cookies now and there was some entry for wca there which he deleted. He is able to login now.
Thanks for your help. I m not fully sure what happened there but I hope you do. Let me know if there is any further communication required to avoid this in the future."
Jeremy says: "Strange. The next time someone runs into this, we will try asking them to clear their cookies."
I think that every time we've seen this issue, it has been on a mobile device, but it has been on both iOS and Android, and Chrome and Safari.
We include a CSRF token on the sign-in form, and sometimes, people's browsers won't send along the CSRF token when they sign in, so the backend raises an
ActionController::InvalidAuthenticityToken
error, which gets rendered to the user as "The change you wanted was rejected":A snippet of this happening in the rails logs:
I am able to reproduce this error by running the following javascript before logging in:
After many weeks, this user reset his cookies, and the problem went away.
In an email thread titled: "Competitor unable to login" on Dec 27, 2016.
Akash says: "I asked him. He says he checked in cookies now and there was some entry for wca there which he deleted. He is able to login now. Thanks for your help. I m not fully sure what happened there but I hope you do. Let me know if there is any further communication required to avoid this in the future."
Jeremy says: "Strange. The next time someone runs into this, we will try asking them to clear their cookies."
I think that every time we've seen this issue, it has been on a mobile device, but it has been on both iOS and Android, and Chrome and Safari.