Rails 2.0.2 form_tag/InvalidAuthenticityToken/token_tag

I just upgraded to rails 2.0.2 and I'm having a problem when I switch

from cookie based sessions to ActiveRecord based sessions.

Apparently my login form which worked under rails 1.2.6 no longer includes the proper authentication token necessary for protect_from_forgery.

There are a number of people who appear to have this problem and I've seen suggestions indicating I need to include <%= token_tag %>. But token_tag is a private method and as far as I can tell, is being called. So how do I get the form_tag to work properly under rails 2.0.2?

This is what I currently have:

    <p> Please enter your username and password to access the site.</p>

    <% form_tag :action => 'login' do -%>
      <p><label for="login_name">Name</label><br/>
      <%= text_field 'login', 'name' %></p>

      <p><label for="login_password">Password</label><br/>
      <%= password_field 'login', 'password' %></p>
         <%= submit_tag "Login" %>
    <% end -%>


Ok, I think I found the problem. Apparently, in the
ApplicationController (application.rb) the secret key is disabled on
the call to protect_from_forgery and it's only a comment that tells
you to uncomment if you change the data store.

Once I uncommented the :secret value, things appear to work.


I'm having the same problem with a similar form. I commented and
uncommented the secret key in application.rb but not work. I compared
the the value in the hidden field of the form with the value generated
for the tag "token_tag" and be the same.