I'm going to go out on a limb here and say the new CSRF protection in Rails is flawed. Why? Forget about caching if you care to use it. Consider the following:
<% cache do %> <%= link_to_remote "Add To Favorites", :url => {:controller => "favorites", :action => "create", "movie_id" => 2} %> <% end %>
# Output <a onclick="new Ajax.Request('/favorites?movie_id=2', {asynchronous:true, evalScripts:true, method:'post', parameters:'authenticity_token=' + encodeURIComponent('a85178cac134447c87a22495662125024c1ae57e')}); return false;" href="#">Add To Favorites</a>
The trouble is the cached (and consequently invalid) authenticity_token being sent in the POST, which triggers the CSRF in Rails, thereby rejecting the request. That's no fun.
Then again, maybe I'm an incompetent retard and the CSRF protection in Rails is flawless and I'm totally missing something. Please, somebody, educate me if this is the case.
Thanks, Josh