Hi vapor, even i faced same problem, but i designed my project in this way, i don't whether it suites your application,
in my application i don't have any guest user and for each user the access to page is restricted, except for some default pages like login , logout etc.. The restriction is done with help of before_filter, so before any thing gets executed it checks whether the user is logged in and has particular action/actions associated as part of his role. And speaking about create method, as Shai mentioned all your actions which changes the state of the application should never be submitted through get, and i guess you will be having proper validation before serializing any thing.
Hope it helps, Good Luck