Session Problem with Rails 3

I'm using Authlogic 2.1.6 for Authorization in Rails 3.0.5 and I have a session cookie problem with AJAX requests.

After a POST or PUT AJAX Call I'm getting a 401 开发者_如何学GoResponse and a new session key. After that every call will return a 401 response. Before the POST or PUT call every GET call succeeds.

This doesn't happen in test mode, only in development and production mode.

Does anybody know how to avoid that?

EDIT: I think there is a problem with the forgery protection authenticity key, because after disabling forgery protection everything worked fine.

This is a request header which will produce a 401:

Accept:*/*
Cache-Control:max-age=0
Content-Type:application/json; charset=UTF-8
Origin:http://localhost:3000
Referer:http://localhost:3000/
User-Agent:Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_6; de-de) AppleWebKit/533.19.4    (KHTML, like Gecko) Version/5.0.3 Safari/533.19.4
X-Requested-With:XMLHttpRequest

Rails Log entry is the following:

Started POST "/users.json" for 127.0.0.1 at Tue Apr 12 10:47:33 +0200 2011
Processing by UsersController#create as JSON
Parameters: {"user"=>{"password_confirmation"=>"[FILTERED]", "group_id"=>2, "lastname"=>"test1", "prename"=>"test1", "password"=>"[FILTERED]", "login"=>"test1"}}
Rendered text template (0.0ms)
Completed 401 Unauthorized in 19ms (Views: 0.9ms | ActiveRecord: 3.0ms)

EDIT2:

Next weird thing: I i send a BASIC AUTH Header instead of a cookie with session ID, I'm not getting a 401, very weird

A basic error with the 'forgery protection authenticity' is to forget adding the csrf_meta_tag

In your layout add it in your header tag. Without it no Ajax request is do with the good token.

If it's not with Ajax use the simple_form helper to generate the token in your form