I’m going to answer my own question as I’ve managed to work out what was going on. I’ll post it here in case it’s useful to anyone else!
After investigating further, I worked out that the code that was supposed to be setting the request header with the CSRF token, wasn’t. This was the original code:
$(document).ajaxSend(function(e, xhr, options) {
var token = $("meta[name="csrf-token"]").attr('content');
xhr.setRequestHeader('X-CSRF-Token', token);
});
What was happening was that this code wasn’t setting the header, Rails was receiving an Ajax request, the token didn’t match and it was resetting the session. This used to raise an ActionController::InvalidAuthenticityToken error (I suppose I would have caught this earlier if an error was raised… oh well), but since Rails 3.0.4 it now just quietly resets the session.
So to send the token in the header, you have to do this (many thanks to this marvellous blog post):
$.ajaxSetup({
beforeSend: function(xhr) {
xhr.setRequestHeader('X-CSRF-Token', $('meta[name="csrf-token"]').attr('content'));
}
});
And now it all works as it should. Which is nice.