Rack middleware and form tag patch to insert csrf tokens into cached pages

application_controller.rb

class ApplicationController < ActionController::Base
  TOKEN_PLACEHOLDER = "__CROSS_SITE_REQUEST_FORGERY_PROTECTION_TOKEN__"

  before_filter :form_authenticity_token
  after_filter :inject_csrf_token

  private

  def inject_csrf_token
    if protect_against_forgery? && token = session['_csrf_token']
      if body_with_token = response.body.gsub!(TOKEN_PLACEHOLDER, token)
        response.body = body_with_token
        logger.info "Injected authenticity token '#{token}'"
      end
    end
  end

end

authentication_token_stories_test.rb

# Webrat integration test

require 'test_helper'

class AuthenticationTokenStoriesTest < ActionController::IntegrationTest

  context "with forgery protection enabled" do
    setup { ActionController::Base.allow_forgery_protection = true }
    teardown { ActionController::Base.allow_forgery_protection = false }

    should "inject authentication token when visiting home page" do
      visit '/'
      token = session['_csrf_token']
      assert token.present?
      assert_match Regexp.new(Regexp.escape(token)), response.body
    end

  end

end

form_tag_helper.rb

# From http://www.jarrodspillers.com/2010/02/06/trying-to-use-rails-csrf-protection-on-cached-actions-rack-middleware-to-the-rescue/
# Updated for rails 3.1
module ActionView
  module Helpers
    module FormTagHelper
      alias_method :token_tag_rails, :token_tag

      def token_tag(token)
        if token == false || !protect_against_forgery?
          ''
        else
          token = form_authenticity_token if token.nil?
          tag(:input, :type => "hidden", :name => request_forgery_protection_token.to_s, :value => ApplicationController::TOKEN_PLACEHOLDER)
        end
      end
    end
  end
end