Using Rails 3.0.3 and Heroku
I get errors like InvalidAuthenticityToken for form posts on my Heroku app. In my application controller I have protect_from_forgery enabled.
class ApplicationController < ActionController::Base
protect_from_forgery
...
end
my search form
<%= form_tag(searchresults_url) do %>
<%= text_field_tag :search_query, '', :size => 14 %> <%= submit_tag (t :search) %>
<% end %>
Routes:
match 'searchresults' => 'home#searchresults', :as => :searchresults
class HomeController < ApplicationController
def searchresults
@query = query_string
@entries_found = Counter.where(...)
end
end
The invalid toke error occurs when someone tries to search the website through my search form and when they have cookies disabled and using a smart phone. I have tried to access the website with my web browser (Firefox) with cookies disabled and it worked fine.
I do not get this behavior on "search engines" I have created (in ways I cannot use in this app) so what is wrong. Why just smart phones and cookies disabled?
What can I do to make this work?
A quick and dirty "solution" to this was to add
protect_from_forgery :only => [:create, :update, :destroy]
for the related controllers. I am not sure though what risk this poses to the website...