request_forgery_protection_token should be set at ActionController::Base load time

If @@request_forgery_protection_token is not set in
ActionController::Base, it can raise an InvalidAuthenticityToken error
when one controller creates a form that will post in another
controller.

Patch and better explanation here:

http://rails.lighthouseapp.com/projects/8994-ruby-on-rails/tickets/402-request_forgery_protection_token-should-be-set-at-actioncontroller-base-load-time