I can't figure out why the Rails core team hasn't fixed this yet...

The form_authentication_token is composed of Base64 and it kills some Internet Explorer non-Browsers when the Base64 contains '=', '+' or '/' (which happens with Base64 sometimes).

The token is generated using ActiveSupport::SecureRandom. It hands out a method called base64(). And, here is the surprise, it also hands out a method called hex(). Why the core team hasn't changed the base64(32) to hex(32) some odd releases of Rails ago is beyond me.