Authenticity Token change under 2.2.2?


We have the following code which sends a request on unload of one of our pages. It was working fine until I upgraded to rails 2.2.2, but now is giving 'ActionController::InvalidAuthenticityToken (ActionController::InvalidAuthenticityToken):'

Does anyone know what has changed, and what I have to do to get it working again?

var req = new XMLHttpRequest();"POST", "<%= url_for(:action => 'unlock', :id => %>", false);
req.setRequestHeader("Content-Type", "text/plain");
req.setRequestHeader("X-Requested-With", "XMLHttpRequest");


Well until 2.2.2 text/plain requests weren't checked at all (this was
a bug) so it's entirely possible that your code has been broken from
day 1. If you look at the logs does it look like the token was sent


Hi Fred,

No, the authenticity_token isn't getting through at all, and I accept that the code probably should have never worked as it stands. That said, I can't for the life of me figure out how to get the auth token to be submitted correctly using the XMLHttpRequest object. We have the token floating around (we use it in other jQuery AJAX calls), but because this particular code is being called during unload, we need it to be synchronous, and the jQuery async:false doesn't appear to work.


Well (I had to look this up since I never use raw XMLHttpRequest) the
parameter to send is the body of the request. When rails gets a text/
plain request it doesn't parse the the request body for parameters
(since you've told it that it's just a big text file). So either you
could make the type not text/plain (ie application/x-www-form-
urlencoded), and even then you'd want to drop the leading ? in the
body, or you could append it to the url you are requesting (being just
a little bit careful that you glue it on with a & or a ? as


Excellent, works like a charm, thanks for that.