Rails 2.0.2 form_tag/InvalidAuthenticityToken/token_tag

|I just upgraded to rails 2.0.2 and I’m having a problem when I switch
from cookie based sessions to ActiveRecord based sessions.

Apparently my login form which worked under rails 1.2.6 no longer
includes the proper authentication token necessary for

There are a number of people who appear to have this problem and I’ve
seen suggestions indicating I need to include <%= token_tag %>. But
token_tag is a private method and as far as I can tell, is being called.
So how do I get the form_tag to work properly under rails 2.0.2?

This is what I currently have:

<p> Please enter your username and password to access the site.</p>

<% form_tag :action => 'login' do -%>
  <p><label for="login_name">Name</label><br/>
  <%= text_field 'login', 'name'  %></p>

  <p><label for="login_password">Password</label><br/>
  <%= password_field 'login', 'password' %></p>

  <%= submit_tag "Login" %>
<% end -%>


On Jan 25, 2:36 am, “Eric M. Smith” [email protected] wrote:

  <%= submit_tag "Login" %>
<% end -%>


Ok, I think I found the problem. Apparently, in the
ApplicationController (application.rb) the secret key is disabled on
the call to protect_from_forgery and it’s only a comment that tells
you to uncomment if you change the data store.

Once I uncommented the :secret value, things appear to work.


I’m having the same problem with a similar form. I commented and
uncommented the secret key in application.rb but not work. I compared
the the value in the hidden field of the form with the value generated
for the tag “token_tag” and be the same.