I don’t use protect_from_forgery in my application controller, and on my development environment it

Question

0

Asked: May 25, 20262026-05-25T06:53:55+00:00 2026-05-25T06:53:55+00:00

I don’t use protect_from_forgery in my application controller, and on my development environment it

0

I don’t use protect_from_forgery in my application controller, and on my development environment it works as expected, no session is generated. But on production environment the CSRF token is written to the session.

Session.inspect gives

{:_csrf_token => "duY6ATHEBzYXzg8aXdNF6CZYXicPhlFQdDodjREMwAM=",
 :session_id => "25728f624574a1d831b4510b2e7f6c92"}

Why does this happen?

Report

Leave an answer
Cancel reply

You must login to add an answer.

Need An Account,

1 Answer

Editorial Team · Answer 1 · 2026-05-25T06:53:56+00:00

Editorial Team

2026-05-25T06:53:56+00:00Added an answer on May 25, 2026 at 6:53 am

I found that in one partial I have

<% form_tag session_path, :method => :post do -%>

and it writes _csrf_token to session.

0

Reply
Share
Share

- Report

Sign Up

Sign In

Forgot Password

The Archive Base Latest Questions

I don’t use protect_from_forgery in my application controller, and on my development environment it

Leave an answerCancel reply

1 Answer

Leave an answer
Cancel reply