I've just committed a change to the way we generate and use CSRF
tokens in rails. Instead of all the stuff involving :secret and
session ids, we simply take advantage of ActiveSupport::SecureRandom.
This simplifies the tests and code drastically, and shouldn't have
any negative impact on security.
Any feedback or reports of breakage greatly appreciated.
Also, thanks to Adam Barth and Colin Jackson of Stanford for taking
the time to verify the approach with me.