Rails 3, protect_from_forgery and IE8 problems

I have a rails app that all works fine for me in all browsers (Safari, Firefox, IE6, 7, 8 etc)

I have a new user who has a fairly locked down version of IE8 and as soon as they try to access the app, before they even get to the login page, they get a Windows Authentication prompt appear. If they try to enter the login details they have been provided it fails. I'm not really worried about it failing, as the authentication prompt shouldn't be appearing.

As soon as I remove pr开发者_StackOverflowotect_from_forgery from the ApplicationController they can access the system fine.

I've tried suggesting allowing cookies etc, but they are still getting the problem. Has anyone got any suggestions as to other things we could look

Just to add to this. The site uses a basecamp style subdomain system. Not certain if that's an issue or not.

Which version of Rails are you using? Which authentication framework are you using?

I had the same behavior with Rails 3.0.3 and some earlier version of Devise. The issue I had was that in some circumstances IE8 decides to send 'Accept-Type: */*' in the HTTP header instead of a long line of supported formats. Somewhere within Rails/Devise something slipped and a HTTP authentication status was sent back.

I solved my problem by upgrading to Rails 3.0.5 and Devise 1.2.rc2.

In case anyone else still has problems with this, I am using Rails 3.0.9 and Devise 1.2.1 and was still having this problem. My problem was that IE won't set cookies for subdomains with an underscore in them. See this answer for the details. So I changed my subdomains to use dashes and it works now.