2 files changed, 13 insertions, 7 deletions

diff --git a/app/controllers/application_controller.rb b/app/controllers/application_controller.rb
index 2dc99a01f..8878026f3 100644
--- a/app/controllers/application_controller.rb
+++ b/app/controllers/application_controller.rb
@@ -38,8 +38,6 @@ class ApplicationController < ActionController::Base
 
   layout 'base'
 
-  protect_from_forgery
-
   def verify_authenticity_token
     unless api_request?
       super
@@ -48,11 +46,16 @@ class ApplicationController < ActionController::Base
 
   def handle_unverified_request
     unless api_request?
-      super
-      cookies.delete(autologin_cookie_name)
-      self.logged_user = nil
-      set_localization
-      render_error :status => 422, :message => l(:error_invalid_authenticity_token)
+      begin
+        super
+      rescue ActionController::InvalidAuthenticityToken => e
+        logger.error("ActionController::InvalidAuthenticityToken: #{e.message}") if logger
+      ensure
+        cookies.delete(autologin_cookie_name)
+        self.logged_user = nil
+        set_localization
+        render_error :status => 422, :message => l(:error_invalid_authenticity_token)
+      end
     end
   end
 
diff --git a/config/application.rb b/config/application.rb
index 902007d03..bba468f38 100644
--- a/config/application.rb
+++ b/config/application.rb
@@ -58,6 +58,9 @@ module RedmineApp
     # Do not include all helpers
     config.action_controller.include_all_helpers = false
 
+    # Add forgery protection
+    config.action_controller.default_protect_from_forgery = true
+
     # Sets the Content-Length header on responses with fixed-length bodies
     config.middleware.insert_before Rack::Sendfile, Rack::ContentLength