token_tag not generated

I'm using Rails2.0.2 and I'd like to use against CSRF feature in my
form.
This form is generated from the controller using partial rendering.

  def commentform destination=""
    render :partial=>'forms/commentform', :locals =>
{ :url=>destination }
  end

and commentform looks like this
<% form_tag(:controller=>'comments', :action=>'create') do %>
  <div class="commentform">
    <%= token_tag %>

    <label for="nucleus_cf_body"><%= text("_COMMENTFORM_COMMENT") %></

    <%= text_area :comment, :cbody, "cols" => 40, "rows" => 10 %><br />

    <label for="nucleus_cf_name"><%= text("_COMMENTFORM_NAME") %></

    <%= text_field :comment, :cname, "size"=>40 %><br />

    <label for="nucleus_cf_mail"><%= text("_COMMENTFORM_MAIL") %></

    <%= text_field :comment, :cmail, "size"=>40, "maxlength"=>80 %><br /

    <label for="nucleus_cf_email"><%= text("_COMMENTFORM_EMAIL") %></

    <%= text_field :comment, :cemail, "size"=>40, "maxlength"=>60 %><br /

    <%= check_box_tag("remember", value = "1", checked = false) %>
    <label for="nucleus_cf_remember"><%= text("_COMMENTFORM_REMEMBER")
%></label><br />

    <%= submit_tag(text("_COMMENTFORM_SUBMIT")) %>
  </div>
<% end %>

but token_tag doesn't produce any tag, and I get
InvalidAuthenticityToken error.
I tried to debug and found that protect_against_forgery? returns
false.
I tested the method from the controller but at that time it returned
true.
What should I do to generate the token?

You can use @form_authenticity_token to get the value that should be
passed. You can either embed it in the url
(:authenticity_token=>@form_authenticity_token) or play around adding
it as a hidden_field. You might also investigate using form_for
instead of form_tag; I think it automatically includes the
authenticity token for you.

The different results from protect_against_forgery makes sense
depending on how you did your testing. It only requires the
authenticity token when it's processing an html submitted form.