Rails 2.0.2 form_tag/InvalidAuthenticityToken/token_tag

I just upgraded to rails 2.0.2 and I'm having a problem when I switch

from cookie based sessions to ActiveRecord based sessions.

Apparently my login form which worked under rails 1.2.6 no longer includes the proper authentication token necessary for protect_from_forgery.

There are a number of people who appear to have this problem and I've seen suggestions indicating I need to include <%= token_tag %>. But token_tag is a private method and as far as I can tell, is being called. So how do I get the form_tag to work properly under rails 2.0.2?

This is what I currently have:

    <p> Please enter your username and password to access the site.</p>

    <% form_tag :action => 'login' do -%>       <p><label for="login_name">Name</label><br/>       <%= text_field 'login', 'name' %></p>

      <p><label for="login_password">Password</label><br/>       <%= password_field 'login', 'password' %></p>          <%= submit_tag "Login" %>     <% end -%>

TIA EMS

Ok, I think I found the problem. Apparently, in the ApplicationController (application.rb) the secret key is disabled on the call to protect_from_forgery and it's only a comment that tells you to uncomment if you change the data store.

Once I uncommented the :secret value, things appear to work.

EMS

I'm having the same problem with a similar form. I commented and uncommented the secret key in application.rb but not work. I compared the the value in the hidden field of the form with the value generated for the tag "token_tag" and be the same.