move protect_from_forgery to the beginning of the before_filter chain as per the recommended rails practices

app/controllers/application_controller.rb

@@ -24,6 +24,12 @@ class ApplicationController < ActionController::Base
   layout 'base'
   exempt_from_layout 'builder', 'rsb'
 
+  protect_from_forgery
+  def handle_unverified_request
+    super
+    cookies.delete(:autologin)
+  end
+
   # Remove broken cookie after upgrade from 0.8.x (#4292)
   # See https://rails.lighthouseapp.com/projects/8994/tickets/3360
   # TODO: remove it when Rails is fixed
@@ -38,7 +44,6 @@ class ApplicationController < ActionController::Base
 
   before_filter :user_setup, :check_if_login_required, :set_localization
   filter_parameter_logging :password
-  protect_from_forgery
 
   rescue_from ActionController::InvalidAuthenticityToken, :with => :invalid_authenticity_token