Rails simple form gives InvalidAuthenticityToken error

Question

I have a simple form like this:

<form name="serachForm" method="post" action="/home/search">   
  <input type="text" name="searchText" size="15" value="">
  <input class="image" name="searchsubmit" value="Busca" src="/images/btn_go_search.gif" align="top" border="0" height="17" type="image" width="29">
</form>

And a controller with this method:

  def busca
    puts params[:searchText]
  end

When I do a click on the image button in the form I get a ActionController::InvalidAuthenticityToken. here's the full StackTrace:

/Library/Ruby/Gems/1.8/gems/actionpack-2.2.2/lib/action_controller/request_forgery_protection.rb:86:in verify_authenticity_token' /Library/Ruby/Gems/1.8/gems/activesupport-2.2.2/lib/active_support/callbacks.rb:178:in send' /Library/Ruby/Gems/1.8/gems/activesupport-2.2.2/lib/active_support/callbacks.rb:178:in evaluate_method' /Library/Ruby/Gems/1.8/gems/activesupport-2.2.2/lib/active_support/callbacks.rb:166:in call' /Library/Ruby/Gems/1.8/gems/actionpack-2.2.2/lib/action_controller/filters.rb:225:in call' /Library/Ruby/Gems/1.8/gems/actionpack-2.2.2/lib/action_controller/filters.rb:629:in run_before_filters' /Library/Ruby/Gems/1.8/gems/actionpack-2.2.2/lib/action_controller/filters.rb:615:in call_filters' /Library/Ruby/Gems/1.8/gems/actionpack-2.2.2/lib/action_controller/filters.rb:610:in perform_action_without_benchmark' /Library/Ruby/Gems/1.8/gems/actionpack-2.2.2/lib/action_controller/benchmarking.rb:68:in perform_action_without_rescue' /Library/Ruby/Gems/1.8/gems/actionpack-2.2.2/lib/action_controller/benchmarking.rb:68:in perform_action_without_rescue' /Library/Ruby/Gems/1.8/gems/actionpack-2.2.2/lib/action_controller/rescue.rb:136:in perform_action_without_caching' /Library/Ruby/Gems/1.8/gems/actionpack-2.2.2/lib/action_controller/caching/sql_cache.rb:13:inperform_action' /Library/Ruby/Gems/1.8/gems/activerecord-2.2.2/lib/active_record/connection_adapters/abstract/query_cache.rb:34:in cache' /Library/Ruby/Gems/1.8/gems/activerecord-2.2.2/lib/active_record/query_cache.rb:8:in cache' /Library/Ruby/Gems/1.8/gems/actionpack-2.2.2/lib/action_controller/caching/sql_cache.rb:12:in perform_action' /Library/Ruby/Gems/1.8/gems/actionpack-2.2.2/lib/action_controller/base.rb:524:in send' /Library/Ruby/Gems/1.8/gems/actionpack-2.2.2/lib/action_controller/base.rb:524:in process_without_filters' /Library/Ruby/Gems/1.8/gems/actionpack-2.2.2/lib/action_controller/filters.rb:606:in process_without_session_management_support' /Library/Ruby/Gems/1.8/gems/actionpack-2.2.2/lib/action_controller/session_management.rb:134:in process' /Library/Ruby/Gems/1.8/gems/actionpack-2.2.2/lib/action_controller/base.rb:392:in process' /Library/Ruby/Gems/1.8/gems/rails-2.2.2/lib/webrick_server.rb:74:in service' /Library/Ruby/Gems/1.8/gems/rails-2.2.2/lib/commands/servers/webrick.rb:66 /Library/Ruby/Gems/1.8/gems/activesupport-2.2.2/lib/active_support/dependencies.rb:153:in require' /Library/Ruby/Gems/1.8/gems/activesupport-2.2.2/lib/active_support/dependencies.rb:521:in new_constants_in' /Library/Ruby/Gems/1.8/gems/activesupport-2.2.2/lib/active_support/dependencies.rb:153:in require' /Library/Ruby/Gems/1.8/gems/rails-2.2.2/lib/commands/server.rb:49

What is happening?

Answer 1

Along the lines of Nat, adding

<%= token_tag %> 

just after the HTML "form" tag works

Answer 2

By default, all non-GET actions requires the authenticity token to be passed along with the request. Rails uses the authenticity token to avoid CSRF attacks.

The easiest way to ensure that it is always in place, is to use the form_tag helper instead of writing the HTML by hand.

<% form_tag "/home/search", :name => "searchForm" do %>
  fields here
<% end %>