I am using Rails 3.0.2 which has protect_from_forgery by default in application_controller.rb.
I wanted to trigger an InvalidAuthenticityToken.
To do this I have added this javascript to my page:
$('input[name=authenticity_token]').val('aaa')
Checking the DOM with Firebug I see the authenticity_token hidden field is correctly updated.
If I submit the form and check the log from the server I see the relative parameter is correctly set to 'aaa'. I would expect to get a InvalidAuthenticityToken while the request is processed as it was correct!
How is this possible?
The documentation for the authenticity token/csrf behavior is out of date. The InvalidAuthenticityToken exception is no longer thrown in these cases, instead your session is just reset. If you would like to handle this differently (or the old way) you can define your own behavior in handle_unverified_request on your controller.