CSRF / cached authenticity tokens / ajax requests

I'm going to go out on a limb here and say the new CSRF protection in
Rails is flawed. Why? Forget about caching if you care to use it.
Consider the following:

<% cache do %>
<%= link_to_remote "Add To Favorites", :url => {:controller =>
"favorites", :action => "create", "movie_id" => 2} %>
<% end %>

# Output
<a onclick="new Ajax.Request('/favorites?movie_id=2',
{asynchronous:true, evalScripts:true, method:'post',
parameters:'authenticity_token=' +
return false;" href="#">Add To Favorites</a>

The trouble is the cached (and consequently invalid)
authenticity_token being sent in the POST, which triggers the CSRF in
Rails, thereby rejecting the request. That's no fun.

Then again, maybe I'm an incompetent retard and the CSRF protection in
Rails is flawless and I'm totally missing something. Please,
somebody, educate me if this is the case.


The 'flaw' is in the programmer that thinks he can cache dynamic content
such as....

I don't see your point. Please clarify.