InvalidAuthenticityToken between subdomains when logging in with Rails app

I just added SSL on secure.mydomain.com. When someone logs in, they POST from a form on the main (www) subdomain to the secure subdomain. That's causing an InvalidAuthenticityToken error to be generated.

I've read that it's necessary to share session data across subdomains. To do this, I've already added:

config.action_controller.session = { :domain => '.mydomain.com' }

to config/environments/production.rb. This, unfortunatel开发者_高级运维y, has not fixed the problem.

Thanks for any help!

Rails 3, if that's what you're using, wants you to make this change in config/initializers/session_store.rb.

Rails.application.config.session_store :cookie_store, {
  :key => '[my key]',
  :domain => '.example.com'
}

Give that a go. If things still don't work as expected, inspect the cookie in the browser to see if it has any special domain setting at all. That'll help narrow down whether it's the setting or the getting that's the issue :/

How recently did you make this change? Your browser could still have the old cookies, which would need to be deleted before you'd notice a change in behavior.

Just throwin' it out there :)

I think this line is missing in your application layout

<%= csrf_meta_tags %>