Invalid Authenticity Token When Logging Out with Devise

Question

My users can login at myapp.com and it will redirect them to their subdomain, e.g. username.myapp.com

This works because I have

Downhill::Application.config.session_store :cookie_store, :key => '_domain_session', :domain => :all

in session_store.rb & a method in my application controller that checks the subdomain against username (so you can't login to other users' subdomains).

For testing purposes, username.myapp.com and myapp.com both show a user's data after logging in.

The problem: when the user logs out from username.myapp.com, they get

ActionController::InvalidAuthenticityToken in Devise::SessionsController#destroy

BUT: when they instead logout from myapp.com it logs out just fine.

Any ideas?

EDIT

I've overridden both after_sign_out_path_for and after_sign_in_path_for

 def after_sign_out_path_for(resource)
   root_url
 end

 def after_sign_in_path_for(resource)
   dashboard_url(:subdomain => current_user.subdomain)
 end

Answer 1

I think this line is missing in your application layout

<%= csrf_meta_tags %>

Answer 2

It seems that the only way to do this is to explicitly set the session domain as discussed here: InvalidAuthenticityToken between subdomains when logging in with Rails app. Devise also has problems with IE and subdomains - https://github.com/plataformatec/devise/wiki/How-To:-Use-subdomains.

My solution:

# config/initializers/session_store.rb
Rails.application.config.session_store :cookie_store, {
  key: '_app_session',
  domain: Rails.configuration.domain
}

# config/environments/development.rb
config.domain = 'lvh.me'

# config/environments/production.rb
config.domain = 'my_app.com'

If you check cookies in a browser, you will see cookies for domains 'my_app.com' and '.my_app.com' in production environment.