diff --git a/actionpack/lib/action_controller/metal/request_forgery_protection.rb b/actionpack/lib/action_controller/metal/request_forgery_protection.rb
index 276c70330738e8e45faeb8368353fb05cbb1543a..6765314df22d5cf4ba0a0926a0d440df830c6e1a 100644
--- a/actionpack/lib/action_controller/metal/request_forgery_protection.rb
+++ b/actionpack/lib/action_controller/metal/request_forgery_protection.rb
@@ -12,11 +12,10 @@ module RequestForgeryProtection
     included do
       # Sets the token parameter name for RequestForgery. Calling +protect_from_forgery+
       # sets it to <tt>:authenticity_token</tt> by default.
-      cattr_accessor :request_forgery_protection_token
+      config.request_forgery_protection_token ||= true
 
       # Controls whether request forgergy protection is turned on or not. Turned off by default only in test mode.
-      class_attribute :allow_forgery_protection
-      self.allow_forgery_protection = true
+      config.allow_forgery_protection ||= true
 
       helper_method :form_authenticity_token
       helper_method :protect_against_forgery?
@@ -80,9 +79,47 @@ def protect_from_forgery(options = {})
         self.request_forgery_protection_token ||= :authenticity_token
         before_filter :verify_authenticity_token, options
       end
+
+      def request_forgery_protection_token
+        config.request_forgery_protection_token
+      end
+
+      def request_forgery_protection_token=(val)
+        config.request_forgery_protection_token = val
+      end
+
+      def allow_forgery_protection
+        config.allow_forgery_protection
+      end
+
+      def allow_forgery_protection=(val)
+        config.allow_forgery_protection = val
+      end
     end
 
     protected
+
+      def protect_from_forgery(options = {})
+        self.request_forgery_protection_token ||= :authenticity_token
+        before_filter :verify_authenticity_token, options
+      end
+
+      def request_forgery_protection_token
+        config.request_forgery_protection_token
+      end
+
+      def request_forgery_protection_token=(val)
+        config.request_forgery_protection_token = val
+      end
+
+      def allow_forgery_protection
+        config.allow_forgery_protection
+      end
+
+      def allow_forgery_protection=(val)
+        config.allow_forgery_protection = val
+      end
+
       # The actual before_filter that is used.  Modify this to change how you handle unverified requests.
       def verify_authenticity_token
         verified_request? || raise(ActionController::InvalidAuthenticityToken)
@@ -109,7 +146,7 @@ def form_authenticity_param
       end
 
       def protect_against_forgery?
-        self.class.allow_forgery_protection
+        config.allow_forgery_protection
       end
   end
 end
diff --git a/actionpack/lib/action_controller/railtie.rb b/actionpack/lib/action_controller/railtie.rb
index ca03fc62da771f9a604f98fb73205dd52a6e6c46..6a3afbb15734b8ee56052683b750978d5eb1435e 100644
--- a/actionpack/lib/action_controller/railtie.rb
+++ b/actionpack/lib/action_controller/railtie.rb
@@ -46,10 +46,11 @@ class Railtie < Rails::Railtie
     initializer "action_controller.set_configs" do |app|
       paths = app.config.paths
       ac = app.config.action_controller
-      ac.assets_dir = paths.public.to_a.first
+
+      ac.assets_dir      = paths.public.to_a.first
       ac.javascripts_dir = paths.public.javascripts.to_a.first
       ac.stylesheets_dir = paths.public.stylesheets.to_a.first
-      ac.secret = app.config.cookie_secret
+      ac.secret          = app.config.cookie_secret
 
       ActionController.base_hook { self.config.replace(ac) }
     end