Have you ever checked your cookie?
I encountered the same problem earlier today and it turned out to be a problem with my cookie configuration. As your application still won't work without CSRF enabled, I think either your login_controller or session_store has bugs. Read session_store.rb
and your_environment.rb
carefully and maybe you can find what's wrong.