Rails 2.3.12 writes csrf token to session that it is not asked for

I don't use protect_from_forgery 开发者_如何转开发in my application controller, and on my development environment it works as expected, no session is generated. But on production environment the CSRF token is written to the session.

Session.inspect gives

{:_csrf_token => "duY6ATHEBzYXzg8aXdNF6CZYXicPhlFQdDodjREMwAM=",
 :session_id => "25728f624574a1d831b4510b2e7f6c92"}

Why does this happen?

I found that in one partial I have

<% form_tag session_path, :method => :post do -%>

and it writes _csrf_token to session.