token_tag not generated

I'm using Rails2.0.2 and I'd like to use against CSRF feature in my form. This form is generated from the controller using partial rendering.

  def commentform destination=""     render :partial=>'forms/commentform', :locals => { :url=>destination }   end

and commentform looks like this <% form_tag(:controller=>'comments', :action=>'create') do %>   <div class="commentform">     <%= token_tag %>

    <label for="nucleus_cf_body"><%= text("_COMMENTFORM_COMMENT") %></

    <%= text_area :comment, :cbody, "cols" => 40, "rows" => 10 %><br />

    <label for="nucleus_cf_name"><%= text("_COMMENTFORM_NAME") %></

    <%= text_field :comment, :cname, "size"=>40 %><br />

    <label for="nucleus_cf_mail"><%= text("_COMMENTFORM_MAIL") %></

    <%= text_field :comment, :cmail, "size"=>40, "maxlength"=>80 %><br /

    <label for="nucleus_cf_email"><%= text("_COMMENTFORM_EMAIL") %></

    <%= text_field :comment, :cemail, "size"=>40, "maxlength"=>60 %><br /

    <%= check_box_tag("remember", value = "1", checked = false) %>     <label for="nucleus_cf_remember"><%= text("_COMMENTFORM_REMEMBER") %></label><br />

    <%= submit_tag(text("_COMMENTFORM_SUBMIT")) %>   </div> <% end %>

but token_tag doesn't produce any tag, and I get InvalidAuthenticityToken error. I tried to debug and found that protect_against_forgery? returns false. I tested the method from the controller but at that time it returned true. What should I do to generate the token?

You can use @form_authenticity_token to get the value that should be passed. You can either embed it in the url (:authenticity_token=>@form_authenticity_token) or play around adding it as a hidden_field. You might also investigate using form_for instead of form_tag; I think it automatically includes the authenticity token for you.

The different results from protect_against_forgery makes sense depending on how you did your testing. It only requires the authenticity token when it's processing an html submitted form.