rails 3 protect_from_forgery not doing anything

I tried to fake forgery request in my rails 3.0.8 app with no success

I have regular form and I changed the auth key with Tamper before submit it at this point I would expect rails to reset the session and therefor signout the current_user however it didn't happen, the action completed successfully and the user stay signed in

I have the protect_from_forgery statement in my application contro开发者_StackOverflow中文版ller and I tried to change config.consider_all_requests_local to false

---

Indeed... it does something but you have to code it.

The previous behavior was removed, it's a controversial decision but you can get it back including the following code in your ApplicationController:

def handle_unverified_request
  #add here code to empty the session
  raise ActionController::InvalidAuthenticityToken
end