Posting to form, saying user isn't logged in, session cookie exists

I have a form, that when submitted, it calls a jquery .ajax request like:

$.ajax({
 type:"POST",
 url: "/posts/" + id + "/add_comment",
 ..
 ..
});

This website has subdomains, and the session cookie after logging in looks like:

name: __webt_session
value: ...
host: testsubdomain.lvh.me
path: /
Secure: No
Expires: At end of session

Now when I submit a comment, it doesn't save the comment, it rather redirects to the login page (the html is for the login page, it doesnt' actaully redirect b/c it was an ajax call behind the scenes).

Does my url for the form action have to include the subdomain?

BTW, why does it say 'secure: NO'

UPDATE

I set the post url to include the full url w/subdomain, and it is still redirecting to the login page. Why isn't 开发者_JAVA百科it picking up the cookie?

When I am on the page that I am posting the form, I am logged in just fine. The url has teh subdomain in it. It must be that when I post to the page, for some reason or another, it thinks I am not logged in and redirects me (you have to be logged in to post a comment). Very confused why it is not picking up the cookie.

Ideas?

Make sure that your post has the rails authenticity_token if your controller's action has protect_from_forgery

In rails 3.0.x (x > 3) if verify_authenticity_token fails, it logs you out, so your authentication will fail.

UPDATE

To do this in your javascript post, you'll want to add a post parameter called authenticity_token. The value of this parameter can be determined in two ways:

1) In your controller call form_authenticity_token and pass this value to the javascript.

2) In your layout, add this line

<%= csrf_meta_tag %>

This will add the following to the head of your document

<meta name="csrf-param" content="authenticity_token"/> 
<meta name="csrf-token" content="Sm8z1XLTzI5HCy7+MIB+yFXiGUdS1byUHI8brHknirY="/>

You can retrive the post value with a little javascript like this:

document.getElementsByName('csrf-token')[0].content

In this version, you can be uber correct and use the value of

document.getElementsByName('csrf-param')[0].content

to determine the name of the post parameter