Bumping to Rails 7.1 broke devise authentication, but not on development

Question

I bumped my application to Rails 7.1, and on my development server, signing in using my Devise setup works fine. However, on my staging server (RHEL7 using nginx), authentication no longer works.

At first, it claims that it cannot verify the authenticity_token. The token is being provided in the <head> as well as a hidden field in the sign-in form. Just to try to get it working, I tried to skip_forgery_protection in my locally-provided Devise::SessionsController (with no other modifications from the file generated by the gem) and oddly that didn't work, the only way I got around the protect_from_forgery was to copy the DeviseController inherited by the generated controllers from the devise repo and put skip_forgery_protection in that (Even removing protect_from_forgery from my ApplicationController entirely, as well as removing both authenticity_token tags, did not stop the CSRF error during sign-in).

Once I stopped seeing the CSRF error in the logs, I had a different problem. I authenticated, which would redirect me to a page that requires authentication, then that page would redirect me back to sign-in. In the logs, I see Devise increment my user record's log_in_count, so it seems like the authentication was accepted. But then it would act like I'm not logged in. So my hunch became that the current_user value was not being properly set in the session cookie, so I started messing with that. I was able to recreate this symptom on my development server if I set my cookie_store config to use secure: true on development (previously it was only set to be secure on non-dev envs). However, switching secure: false didn't help staging at all.

So I have a lead, but I have hit a wall. It seems like devise is silently failing at this point, failing to store the authenticated user. But it seems like if this was an issue someone would've caught it by now, so I still think it is some configuration in my app. Any ideas of where to look that might cause something like this?

Ruby 3.1.4

Rails 7.1.1

Devise 4.9.3

Tested on Chrome/Brave/Safari, no difference.

Answer 1

I had the same problem with CSFR on production server, where also other applications rails 7.0 was working correctly. Ubuntu + Passenger + nginx

The solution was to upgrade passenger

passenger --version

in my case it was 6.0.18 after running upgrade Phusion Passenger(R) 6.0.20 Everything is working correctly