Devise ignores auth_token

[Paul]

Hi,

I have implemented ajax authentication using devise via auth_token and it seems to work.  However, when I was testing unauthorized ajax calls by changing the authorization token in the database, I was still able to make the ajax remote call and the user is still properly identified!!  How is this possible?  I thought that maybe the authorization token was cached in the server so I restarted it, but same results.  It seems that Devise is ignoring the auth_token parameter that I pass in my ajax calls, but somehow still managed to know the user's identity.

Am I missing something?  If anyone can shine a light on this issue it would be great!

Thanks!

Paul

[Paul]

I am using devise 2.1.2 and dm-devise 2.1.0 if it makes any difference.

[Paul]

I figured it out.  My bad.  I was using: 

skip_before_filter :verify_authenticity_token

in some controllers that I shouldn't be using, thus causing this problem.  Still weird that it knows who the user is without the auth_token!!