Rails - Feb 2008 - token_tag not generated

I''m using Rails2.0.2 and I''d like to use against CSRF feature
in my
form.
This form is generated from the controller using partial rendering.

  def commentform destination=""
    render :partial=>''forms/commentform'', :locals =>
{ :url=>destination }
  end

and commentform looks like this
<% form_tag(:controller=>''comments'',
:action=>''create'') do %>
	<div class="commentform">
		<%= token_tag %>

		<label for="nucleus_cf_body"><%=
text("_COMMENTFORM_COMMENT") %></
label>
		<%= text_area :comment, :cbody, "cols" => 40, "rows"
=> 10 %><br />

		<label for="nucleus_cf_name"><%=
text("_COMMENTFORM_NAME") %></
label>
		<%= text_field :comment, :cname, "size"=>40 %><br />

		<label for="nucleus_cf_mail"><%=
text("_COMMENTFORM_MAIL") %></
label>
		<%= text_field :comment, :cmail, "size"=>40,
"maxlength"=>80 %><br /
>
		<label for="nucleus_cf_email"><%=
text("_COMMENTFORM_EMAIL") %></
label>
		<%= text_field :comment, :cemail, "size"=>40,
"maxlength"=>60 %><br /
>
		<%= check_box_tag("remember", value = "1", checked =
false) %>
		<label for="nucleus_cf_remember"><%=
text("_COMMENTFORM_REMEMBER")
%></label><br />

		<%= submit_tag(text("_COMMENTFORM_SUBMIT")) %>
	</div>
<% end %>

but token_tag doesn''t produce any tag, and I get
InvalidAuthenticityToken error.
I tried to debug and found that protect_against_forgery? returns
false.
I tested the method from the controller but at that time it returned
true.
What should I do to generate the token?
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Talk" group.
To post to this group, send email to
rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
To unsubscribe from this group, send email to
rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
For more options, visit this group at
http://groups.google.com/group/rubyonrails-talk?hl=en
-~----------~----~----~----~------~----~------~--~---

You can use @form_authenticity_token to get the value that should be
passed.  You can either embed it in the url
(:authenticity_token=>@form_authenticity_token) or play around adding
it as a hidden_field.  You might also investigate using form_for
instead of form_tag; I think it automatically includes the
authenticity token for you.

The different results from protect_against_forgery makes sense
depending on how you did your testing.  It only requires the
authenticity token when it''s processing an html submitted form.

On Feb 3, 1:53 pm, Andy
<andymatsub...-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
wrote:
> I''m using Rails2.0.2 and I''d like to use against CSRF
feature in my
> form.
> This form is generated from the controller using partial rendering.
>
>   def commentform destination=""
>     render :partial=>''forms/commentform'', :locals
=>
> { :url=>destination }
>   end
>
> and commentform looks like this
> <% form_tag(:controller=>''comments'',
:action=>''create'') do %>
>         <div class="commentform">
>                 <%= token_tag %>
>
>                 <label for="nucleus_cf_body"><%=
text("_COMMENTFORM_COMMENT") %></
> label>
>                 <%= text_area :comment, :cbody, "cols" =>
40, "rows" => 10 %><br />
>
>                 <label for="nucleus_cf_name"><%=
text("_COMMENTFORM_NAME") %></
> label>
>                 <%= text_field :comment, :cname, "size"=>40
%><br />
>
>                 <label for="nucleus_cf_mail"><%=
text("_COMMENTFORM_MAIL") %></
> label>
>                 <%= text_field :comment, :cmail,
"size"=>40, "maxlength"=>80 %><br /
>
>
>
>                 <label for="nucleus_cf_email"><%=
text("_COMMENTFORM_EMAIL") %></
> label>
>                 <%= text_field :comment, :cemail,
"size"=>40, "maxlength"=>60 %><br /
>
>
>
>                 <%= check_box_tag("remember", value =
"1", checked = false) %>
>                 <label for="nucleus_cf_remember"><%=
text("_COMMENTFORM_REMEMBER")
> %></label><br />
>
>                 <%= submit_tag(text("_COMMENTFORM_SUBMIT"))
%>
>         </div>
> <% end %>
>
> but token_tag doesn''t produce any tag, and I get
> InvalidAuthenticityToken error.
> I tried to debug and found that protect_against_forgery? returns
> false.
> I tested the method from the controller but at that time it returned
> true.
> What should I do to generate the token?
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Talk" group.
To post to this group, send email to
rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
To unsubscribe from this group, send email to
rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
For more options, visit this group at
http://groups.google.com/group/rubyonrails-talk?hl=en
-~----------~----~----~----~------~----~------~--~---