InvalidAuthenticityToken between subdomains when logging in with Rails app

I just added SSL on secure.mydomain.com. When someone logs in, they POST from a form on the main (www) subdomain to the secure subdomain. That's causing an InvalidAuthenticityToken error to be generated.

I've read that it's necessary to share session data across subdomains. To do this, I've already added:

config.action_controller.session = { :domain => '.mydomain.com' }

to config/environments/production.rb. This, unfortunately, has not fixed the problem.

Thanks for any help!


Rails 3, if that's what you're using, wants you to make this change in config/initializers/session_store.rb.

Rails.application.config.session_store :cookie_store, { :key => '[my key]', :domain => '.example.com' }

Give that a go. If things still don't work as expected, inspect the cookie in the browser to see if it has any special domain setting at all. That'll help narrow down whether it's the setting or the getting that's the issue :/


How recently did you make this change? Your browser could still have the old cookies, which would need to be deleted before you'd notice a change in behavior.

Just throwin' it out there :)


I think this line is missing in your application layout

<%= csrf_meta_tags %>


  • Sonar update 5.0.1 to 5.1: “Can not render widget measure_filter_list” on “Projects” dashboard
  • CSS doesn't load on Heroku, when I enabled an asset server (AWS) to serve images? Using Rails4,
  • cross subdomain login with cookies
  • Universal Deep Links with Mandrill sub domain
  • Rake on Rails 3 problem
  • javascript not running on heroku with rails 3.1
  • How to solve the serve static content from a cookieless domain in prestashop 1.5?
  • Pass subdomain as parameter
  • Simple test app deploys to Heroku but won't run
  • How to add a filter to Active Admin dashboard?
  • Fixed Background Works in Chrome but Not Firefox?
  • Rails 3.2 from SQLite locally to Postgres on Heroku
  • python - calculate orthographic similarity between words of a list
  • Reading space separated values file in c++ error
  • What is the use of a session store?
  • C# List of Panels
  • Using Laravel 5.4 pusher
  • Error in installing package: fatal error: stdlib.h: no such file or directory
  • Getting media player state in windows phone 7
  • Salesforce Different WSDL files and when to use
  • SQLite connection strategies
  • Is there a way to save the selected text and highlight it again once the page is refreshed?
  • How can I extract results of aggregate queries in slick?
  • Could not find rake using whenever rails
  • $wpdb not working in file of WordPress plugin
  • Debugging ASP.NET on a built-in web server suddenly stops
  • RectangularRangeIndicator format like triangular using dojo
  • How to get a value (ex: baseURL) in every Karate feature?
  • How would I use PHP exceptions to define a redirect?
  • Return words with double consecutive letters
  • Invalid access key error using credentials redeemed from an amazon open id token
  • Circular dependency while pushing http interceptor
  • SQL merge duplicate rows and join values that are different
  • embed rChart in Markdown
  • LevelDB C iterator
  • Can't mass-assign protected attributes when import data from csv file
  • How to get NHibernate ISession to cache entity not retrieved by primary key
  • How can I use `wmic` in a Windows PE script?
  • UserPrincipal.Current returns apppool on IIS
  • Unable to use reactive element in my shiny app