Ensure that the form authenticity token is present

Assume two users visit an action that is setup for caching.
If the page is not cached when the first user hits it,
the page will be generated for them and token_tag creates
a session['_csrf_token'] entry for the user.

Because the session var exists, the substitution can be done
for the first user.

When the second user hits the action, it's already cached,
so token_tag won't generate a csrf_token for them.

Calling form_authenticity_token instead of manually accessing
the session object ensures that the token is created for the user,
regardless of whether token_tag/csrf_meta_tags was called

Author: BRMatt

lib/cacheable-csrf-token-rails.rb

@@ -9,7 +9,7 @@ def self.included(base)
 
       private
       def inject_csrf_token
-        if protect_against_forgery? && token = session['_csrf_token']
+        if protect_against_forgery? && token = form_authenticity_token
           if body_with_token = response.body.gsub!(ApplicationController::TOKEN_PLACEHOLDER, token)
             response.body = body_with_token
           end
@@ -22,7 +22,6 @@ def inject_csrf_token
 
       def token_tag(token=nil)
         if token != false && protect_against_forgery?
-          token ||= form_authenticity_token
           tag(:input, :type => "hidden", :name => request_forgery_protection_token.to_s, :value => ApplicationController::TOKEN_PLACEHOLDER)
         else
           ''
@@ -42,4 +41,4 @@ def csrf_meta_tags
     end
 
   end # included
-end
+end