Rails3 pre and protect_from_forgery

I've almost entirely converted a rails 2.3.5 app to 3pre. I'm having
some trouble with protect_from_forgery. I had protect_from_forgery set
in application_controller.rb, but run some uploadify ajax stuff in one
of my controllers, where I had protect_from_forgery, :except
=> :add_file set.

In rails 3 I'm getting ActionController::InvalidAuthenticityToken on
the ajax upload unless I turn off protect_from_forgery completely in
application_controller.rb. Seems like the exception in my FileUpload
controller (protect_from_forgery :except => :add_file) isn't taking.

Has anyone else experienced this. Should I report a bug or am I doing
something wrong?

Thanks in advance,
Bryan

Hey Bryan, please do report a bug on Lighthouse. Let's get that fixed
up for the next beta.

Thanks!
jeremy

I'm experiencing the same issue when implementing Uploadify into a
Rails 3.0.0.beta2 application. A comment and a question:

1) You shouldn't need to disable protect_from_forgery for uploads if
you pass your session data to Uploadify, then back to Rails when you
do the upload. But for the time being, disabling protect_from_forgery
is the only way I've been able to get Uploadify to work too.

2) In order to insert middleware in Rails 3, add the following to
config/application.rb:

config.middleware.insert_before(ActionDispatch::Session::CookieStore,
FlashSessionCookieMiddleware, ActionController::Base.session[:key])

However, ActionController::Base.session[:key] is no longer where
session information is stored. I've tried accessing it with it with
Rails.application.config.session_store[:key], looked through the
source and docs.

How do you access the session data in Rails 3?

Thanks, Patrick

Chaps,
Does anyone know if a bug got filed for this issue?

Regards,
Tom

No idea, sorry. Think I just ended up hacking the session key with a
global variable.