ActionController::InvalidAuthenticityToken in LoginController

Hi,

I'm having a problem trying to get a login controller working. When I
try and post to my login controller I get the following error:

ActionController::InvalidAuthenticityToken in LoginController#login

login_controller:

class LoginController < ApplicationController
def login
    case request.method
      when :post
        if @session['user'] = User.authenticate(@params['username'],
@params['password'])

          flash['notice'] = "Login successful"
          redirect_back_or_default :action => "welcome"
        else
          @login = @params['username']
          @message = "Login unsuccessful"
          redirect_to :action=> "login"
      end
    end
  end
.....

login.html.erb:

  <div id="login">
    <h1>Please Login</h1>

    <form method="post" action="">
      <p><label for="user_login">Username</label>
        <%= text_field "user", "username", :class => 'textbox', :value
=> '', :maxlength => 40 %></p>
      <p><label for="user_password">Password</label>
        <%= password_field "user", "password", :class =>
'textbox', :value => '', :maxlength => 40 %></p>
      <p class="buttons">
        <%= submit_tag 'Login', :class => 'button' %>
      </p>
    </form>
</div>

User.rb

class User < ActiveRecord::Base

  def self.authenticate(login, pass)
    User.find(:first, :conditions =>["username = ? AND password = ?",
login, sha1(pass)])
  end

  def change_password(pass)
    update_attribute "password", self.class.sha1(pass)
  end

  protected

  def self.sha1(pass)
    Digest::SHA1.hexdigest("somedigest")
  end

  before_create :crypt_password

  def crypt_password
    write_attribute("password", self.class.sha1(password))
  end

  validates_length_of :login, :within => 3..40
  validates_length_of :password, :within => 5..40
  validates_presence_of :login, :password, :password_confirmation
  validates_uniqueness_of :login, :on => :create
  validates_confirmation_of :password, :on => :create
end

I have the :secret and :session_key set in the environment.rb

Does anyone have any ideas?

I'm having a problem trying to get a login controller working. When I
try and post to my login controller I get the following error:

ActionController::InvalidAuthenticityToken in LoginController#login

[...]

login.html.erb:

  <div id="login">
    <h1>Please Login</h1>

    <form method="post" action="">
      <p><label for="user_login">Username</label>
        <%= text_field "user", "username", :class => 'textbox', :value
=> '', :maxlength => 40 %></p>
      <p><label for="user_password">Password</label>
        <%= password_field "user", "password", :class =>
'textbox', :value => '', :maxlength => 40 %></p>
      <p class="buttons">
        <%= submit_tag 'Login', :class => 'button' %>
      </p>
    </form>
</div>

You should use the token_tag helper in your form to provide
the secret token needed by Rails for CSRF security reasons.

   -- Jean-François.

Are you saying that is the problem or are you making that suggestion
for simply security reasons?

Forget it - got it. Thank you for the help. This worked like a charm.

<%= token_tag %>

HI I'm having that same exact problem while following "rails
solutions" book excercises.

the difference is that I'm still new to RoR that i couldn't get it to
work with <%= token_tag %>
didn't find much on the net either.

where should i add this tag and how is it used? is there any extra
params to add to it?

in my view I have:
<%= form_tag({:controller => 'user', :action => 'login'},{:id
=>"login_form"})%>
        <label for="user_login">Login:</label><br />
        <%= text_field :user, :login %><br />
        <label for="user_login">Password:</label><br />
        <%= password_field :user, :password%><br />
        <%= submit_tag 'Login' %>
      <% $end %>

this happened after I uncommented in environment.rb and restarted the
server
config.action_controller.session_store = :active_record_store

if it worked for you please help me out on that one.
cheers.