Token_tag not generated

Rails
1

I’m using Rails2.0.2 and I’d like to use against CSRF feature in my
form.
This form is generated from the controller using partial rendering.

def commentform destination=""
render :partial=>‘forms/commentform’, :locals =>
{ :url=>destination }
end

and commentform looks like this
<% form_tag(:controller=>‘comments’, :action=>‘create’) do %>

<%= token_tag %> 
<label for="nucleus_cf_body"><%= text("_COMMENTFORM_COMMENT") %></

label>
<%= text_area :comment, :cbody, “cols” => 40, “rows” => 10 %>

<label for="nucleus_cf_name"><%= text("_COMMENTFORM_NAME") %></

label>
<%= text_field :comment, :cname, “size”=>40 %>

<label for="nucleus_cf_mail"><%= text("_COMMENTFORM_MAIL") %></

label>
<%= text_field :comment, :cmail, “size”=>40, “maxlength”=>80 %><br /

<label for="nucleus_cf_email"><%= text("_COMMENTFORM_EMAIL") %></

label>
<%= text_field :comment, :cemail, “size”=>40, “maxlength”=>60 %><br
/

<%= check_box_tag("remember", value = "1", checked = false) %>
<label for="nucleus_cf_remember"><%= text("_COMMENTFORM_REMEMBER")

%>

<%= submit_tag(text("_COMMENTFORM_SUBMIT")) %>
<% end %>

but token_tag doesn’t produce any tag, and I get
InvalidAuthenticityToken error.
I tried to debug and found that protect_against_forgery? returns
false.
I tested the method from the controller but at that time it returned
true.
What should I do to generate the token?

2

You can use @form_authenticity_token to get the value that should be
passed. You can either embed it in the url
(:authenticity_token=>@form_authenticity_token) or play around adding
it as a hidden_field. You might also investigate using form_for
instead of form_tag; I think it automatically includes the
authenticity token for you.

The different results from protect_against_forgery makes sense
depending on how you did your testing. It only requires the
authenticity token when it’s processing an html submitted form.