we can't trust CSRF for anon the way it is designed.

The page they have loaded may be cached we need a different way of delivering the CSRF potentially

app/controllers/session_controller.rb

@@ -1,4 +1,9 @@
 class SessionController < ApplicationController
+  
+  # we need to allow account login with bad CSRF tokens, if people are caching, the CSRF token on the 
+  #  page is going to be empty, this means that server will see an invalid CSRF and blow the session
+  #  once that happens you can't log in with social
+  skip_before_filter :verify_authenticity_token, only: [:create]
 
   def create
     requires_parameter(:login, :password)